From owner-freebsd-security@FreeBSD.ORG Thu Apr 10 23:38:47 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id BB676658 for ; Thu, 10 Apr 2014 23:38:47 +0000 (UTC) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 9AB6212C4 for ; Thu, 10 Apr 2014 23:38:47 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.8/8.14.8) with ESMTP id s3ANclpP076715 for ; Thu, 10 Apr 2014 23:38:47 GMT (envelope-from bdrewery@freefall.freebsd.org) Received: (from bdrewery@localhost) by freefall.freebsd.org (8.14.8/8.14.8/Submit) id s3ANckQ0076711 for freebsd-security@freebsd.org; Thu, 10 Apr 2014 23:38:46 GMT (envelope-from bdrewery) Received: (qmail 32872 invoked from network); 10 Apr 2014 18:38:45 -0500 Received: from unknown (HELO ?10.10.0.24?) (freebsd@shatow.net@10.10.0.24) by sweb.xzibition.com with ESMTPA; 10 Apr 2014 18:38:45 -0500 Message-ID: <53472B7F.5090001@FreeBSD.org> Date: Thu, 10 Apr 2014 18:38:39 -0500 From: Bryan Drewery Organization: FreeBSD User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0 MIME-Version: 1.0 To: David.I.Noel@gmail.com, freebsd-security@freebsd.org, security@FreeBSD.org, Colin Percival Subject: Re: Retiring portsnap [was MITM attacks against portsnap and freebsd-update] References: In-Reply-To: X-Enigmail-Version: 1.6 OpenPGP: id=6E4697CF; url=http://www.shatow.net/bryan/bryan2.asc Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="912kS9jVUih1hEInUujejB43T7nkUJNab" X-Mailman-Approved-At: Fri, 11 Apr 2014 02:08:35 +0000 Cc: secteam X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Apr 2014 23:38:47 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --912kS9jVUih1hEInUujejB43T7nkUJNab Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable On 4/10/2014 12:03 PM, David Noel wrote: > I found a few bugs in portsnap and freebsd-update that I'd like to > bring to the community's attention and hopefully recruit people to > help fix. I mentioned them to Colin (their author) a few years ago and > he agreed that they're issues that need to be addressed, but in the > time since neither he nor I have been able to get around to fixing > them. I'm hoping that someone reading this is able and willing to > pitch in. I've also taken this to secteam@, but no one there's made > any progress on them in the past 6 months so I figured it was time to > approach the broader community. Surely there's a benevolent sh-savvy > hacker out there who has time to take these on. They're pretty simple > fixes -- the functionality that's needed exists in the scripts > already, it just needs to be reused in a few key places. >=20 > I also think it would be an appropriate time to discuss retiring portsn= ap. >=20 [snip] >=20 > With the inclusion of svnlite in 10 I think the valid question comes > up as to whether we really need the portsnap system or whether it > could be safely retired. Obviously if the conclusion of that > discussion is that we don't need it then these bug fixes would be > unnecessary. >=20 > The reason I see for it to be retired is that subversion allows us to > easily and securely check out the ports tree. It's a one-line command: > `svn co https://...`. Keeping it up-to-date it is another one-liner: > `cd /usr/ports; svn update`. With the inclusion of svnlite in base, > the portsnap code and servers acting as mirrors become redundant and > seem like a waste of resources. Your report aside, I find portsnap to be far superior in security for ports and users. I wish it knew how to checkout source as well. 1. It only allows a secure checkout. You can't accidentally checkout svn:// or http://. 2. It blows away directories with updates. I've witnessed a trojaned ports checkout before. 'svn update' does not remove unexpected files, nor remove changes. Yes this is a decrease in usability when you've modified the file and want to keep the changes, but you can easily make a wrapper script to merge in your changes, or use SVN if you really want.= 3. SVN too often gets into confusing situations on 'svn update' that require knowledge of how SVN works to resolve the conflict. Even I with my ~10 years of SVN experience I get confused often and frustrated when not even 'svn revert -R dir; svn up dir' will revert to the upstream version (I may have my example off, but that's the point, it's confusing.= ) 4. SVN asks the user to confirm the public key when first using the HTTPS repository. I worry this step will be done poorly by users. 5. SVN requires 'svn upgrade' sometimes, this is also confusing for users= =2E 6. The way we do HTTPS is through mirrors only, if you pick the wrong mirror it's against hard for the user who doesn't know SVN to change to a different mirror. Portsnap already handles mirrors excellently by geo location. Teaching portsnap how to speak SVN, while still behaving the same, may cover my concerns. To be fair SVN does have its advantages: 1. Quicker updates for users. 2. Easier patch generation for PR submission. 3. Similarly, viewing your changes more easily. --=20 Regards, Bryan Drewery --912kS9jVUih1hEInUujejB43T7nkUJNab Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJTRyt/AAoJEDXXcbtuRpfPphoH/2s+W3l6QA5duWjXTdtSjsCW aG0m/K/Fs/rOw4NJcbTGYLucnxJV001ho6SnSQEPznS8V2zNMEueAnYhQDEj/58O s2RwLC4xdRxEWslOEnvXF+4pYVFH/SI75N7e09n8igPcnWJa/a9pwbluJSNAys+r Y2z8CbQEvsIh0/j/Jo2g4BgQm4cs5WvtoN7Wnk3++19VhRdmWH+/smLT9BGFDINi FbNk26h9prKBgMJs+1Sqgm4KB6UICVE/DByds96OrG+4A4MQYTQDP9hWNrgvySJd VZxJU67GhD+Cu5PmV+ryREFK9RSnCO/R5bs+R7P2zmPD+n+ha2+03QsYFMk3068= =Rh7W -----END PGP SIGNATURE----- --912kS9jVUih1hEInUujejB43T7nkUJNab--