From owner-freebsd-security@FreeBSD.ORG Thu Jul 14 11:13:36 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2A61A16A41C for ; Thu, 14 Jul 2005 11:13:36 +0000 (GMT) (envelope-from tobez@tobez.org) Received: from heechee.tobez.org (heechee.tobez.org [217.157.39.226]) by mx1.FreeBSD.org (Postfix) with ESMTP id BC63943D45 for ; Thu, 14 Jul 2005 11:13:35 +0000 (GMT) (envelope-from tobez@tobez.org) Received: by heechee.tobez.org (Postfix, from userid 1001) id 0EE47125494; Thu, 14 Jul 2005 13:13:34 +0200 (CEST) Date: Thu, 14 Jul 2005 13:13:34 +0200 From: Anton Berezin To: Michael Scheidell Message-ID: <20050714111334.GE84181@heechee.tobez.org> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.2.1i X-Powered-By: FreeBSD http://www.freebsd.org/ X-Mailman-Approved-At: Thu, 14 Jul 2005 13:04:14 +0000 Cc: freebsd-security@freebsd.org Subject: Re: Perl master site changed to tobez.org? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Jul 2005 11:13:36 -0000 Michael, Sorry I did not reply earlier, I was on vacation. On Wed, Jun 29, 2005 at 05:37:16PM -0400, Michael Scheidell wrote: > Tobez: no disrespect intended, obviously you saw a problem with the > master sites for perl 5.8.7 and did what you could to help, and with > your position as a maintainer, I know that the trust we have in you and > your patches is well earned, so don't take this question as anything but > my well-earned paranoia rearing its ugly head: > > Yes, building perl5.8.7 did seem like it had a lot of problems with the > master_sites which is why I went to the freebsd ports cvs tree and > looked to see if they fixed it, however, I believe it would be prudent > for me to ask: > > How safe is this your site? > And, yes, in some of my build scripts I pull the distfiles from our > local system due to some issues with some of the sites, however, how > safe is tobez.org from hacking? > (ok, so, how safe is OUR site from hacking) or anyone's for that matter, > so please don't take this as a challenge. I have enough to do not to > have to go rebuilding our servers. I think you are missing several things here: 1. The ":local" suffix there represents an example of the use of the existing support for master site groups. In particular, only BSDPAN and the defined-or patch can in principle be stored there, not the perl tarball itself. 2. Unless you use master sites randomization, tobez.org will be the last place to go for the files in question. 3. Most importantly, if you do not trust existing md5 and size ditsinfo checks, you should not probably use the ports collection at all. I hope this addresses your concerns, Cheers, \Anton. -- The moronity of the universe is a monotonically increasing function. -- Jarkko Hietaniemi