Date: Mon, 28 Jan 2013 14:09:34 -0500 From: John Baldwin <jhb@freebsd.org> To: freebsd-security@freebsd.org Cc: Andre Rekovic <andre.rekovic@gmail.com> Subject: Re: Is portsnap secure or isn't it? (2012 compromise and general reflections) Message-ID: <201301281409.34192.jhb@freebsd.org> In-Reply-To: <CA%2BvYve53J-K_1Z_F4CHtApdZSknbDeGgnbe7n7TrWhA0D2XyOg@mail.gmail.com> References: <CA%2BvYve53J-K_1Z_F4CHtApdZSknbDeGgnbe7n7TrWhA0D2XyOg@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Monday, January 28, 2013 3:07:31 am Andre Rekovic wrote: > "We unfortunately cannot guarantee the integrity of any packages > available for installation between 19th September 2012 and 11th > November 2012, > or of any ports compiled from trees obtained via any means other > than through svn.freebsd.org or one of its mirrors." > > It's my understanding that any ports trees created/updated via > portsnap *between 19th September 2012 and 11th November 2012* may be > affected but that ports trees created/updated via portsnap a little > outside of that time window should be fine. Is this right? I can't be > completely sure from the above quote. Your assumption is correct. The root issue here is that there are two repositories that hold the ports tree, SVN and CVS. The CVS repository is updated by a script that replays each SVN commit into the CVS repository allowing downstream users of CVS via cvsup or other means to continue using the ports tree after it was switched from CVS to SVN. The issue in this case is that while the SVN repository is known to be completely fine, the CVS repository is not and is considered suspect > "We have also verified that the most recently-available > portsnap(8) snapshot matches the ports Subversion repository, and so > can be fully > trusted. Please note that as a precaution, newer portsnap(8) > snapshots are currently not being generated." The meaning of this is that we have verified that after the end date (11th November 2012), we know that the ports CVS and SVN trees are fully in sync. We also know that they are in sync going forward. However, during that window, CVS is suspect. The important point here for portsnap is that portsnap snapshots are generated from the CVS repository. > That mentions only the most recently available portsnap snapshot (at > the time). Presumably there are suspect snapshots (perhaps those > distributed within the critical window). Correct, any snapshot generated while the CVS tree was suspect is suspect. The problem here is that portsnap's trusted source was suspect. :( > I can think of only two explanations for suspect snapshots: > > 2. A deeply troubling approach to how snapshots are (or were) getting > signed with the private key (picture a push-button automated signing > or a manual signing accompanied by a complete lack of vigilant > checking). This approach would completely undermine user confidence in > portsnap. I think it is closer to the latter with the implicit assumption that the CVS repository could be trusted. I do think it is going to switch to pulling from SVN (if it hasn't already), but you still have the issue of knowing how you can trust the repository being used for snapshots. -- John Baldwin
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201301281409.34192.jhb>