Date: Sat, 17 Nov 2012 15:14:00 +0000 From: Chris Rees <utisoft@gmail.com> To: Gary Palmer <gpalmer@freebsd.org> Cc: freebsd-security@freebsd.org Subject: Re: Recent security announcement and csup/cvsup? Message-ID: <CADLo83-kcQWBUXwtWka5Sd%2BsNaDFGBxZuKbDN5g5ZDOf1cuGQw@mail.gmail.com> In-Reply-To: <20121117150556.GE24320@in-addr.com> References: <20121117150556.GE24320@in-addr.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 17 Nov 2012 15:06, "Gary Palmer" <gpalmer@freebsd.org> wrote: > > Hi, > > Can someone explain why the cvsup/csup infrastructure is considered insecure > if the person had access to the *package* building cluster? Is it because > the leaked key also had access to something in the chain that goes to cvsup, > or is it because the project is not auditing the cvsup system and so the > default assumption is that it cannot be trusted to not be compromised? > > If it is the latter, someone from the community could check rather than > encourage everyone who has been using csup/cvsup to wipe and reinstall > their boxes. Unfortunately the wipe option is not possible for me right > now and my backups do go back to before the 19th of September Checks are being made, but CVS makes it slow work. It's incredibly unlikely that there will be a problem, but the Project has to be cautious in recommendations. Chris
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CADLo83-kcQWBUXwtWka5Sd%2BsNaDFGBxZuKbDN5g5ZDOf1cuGQw>