Date: Thu, 20 Aug 2015 16:04:52 +0300 From: Roman Kurakin <rik@inse.ru> To: Helge Oldach <freebsd@oldach.net>, ctm-users@freebsd.org Subject: Re: Do you still need CTM? Message-ID: <55D5D074.4030301@inse.ru> In-Reply-To: <201508201259.t7KCxSUd006343@sep.oldach.net> References: <201508201259.t7KCxSUd006343@sep.oldach.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi,
On 08/20/2015 03:59 PM, Helge Oldach wrote:
> Hi,
>
> (Sorry for the noise.)
>
> Julian H. Stacey wrote on Thu, 20 Aug 2015 14:01:03 +0200 (CEST):
>> If an axer asserts
>> there's a security issue, original author phk@ may be interested.
>> <ctm-users@freebsd.org> may also be interested to fix it, but
>> axe propenet has Not provided us detail.
> I suspects it's related to a potential MITM threat: Both freebsd-update as well as svn deliver mechanisms to detect such attacks and refuse to update. CTM doesn't - actually it's fairly easy to tamper with deltas shipped by unencrypted e-mail. (No, md5 sums don't help.)
So, signing emails would be enough?
Best regards,
rik
> [...]
>
> Regards,
> Helge
> _______________________________________________
> ctm-users@freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/ctm-users
> To unsubscribe, send any mail to "ctm-users-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?55D5D074.4030301>