Date: Thu, 20 Aug 2015 06:47:47 +0200 From: Andre Albsmeier <Andre.Albsmeier@siemens.com> To: "Montgomery-Smith, Stephen" <stephen@missouri.edu> Cc: "ctm-users@freebsd.org" <ctm-users@freebsd.org> Subject: Re: Do you still need CTM? Message-ID: <20150820044747.GB18686@bali> In-Reply-To: <55D5123A.50407@missouri.edu> References: <55D3E582.2030908@missouri.edu> <55D5123A.50407@missouri.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 19-Aug-2015 at 23:33:15 +0000, Montgomery-Smith, Stephen wrote: > On 08/18/2015 09:10 PM, Montgomery-Smith, Stephen wrote: > > I just received an email from one of the FreeBSD people telling me > > that they are worried about the security threat posed by CTM. > > They would like to disconnect it from the base FreeBSD system. > > > > Personally I have become extremely happy with using subversion, and > > if CTM were to disappear, I could live without it very easily. > > > > But maybe some of you feel differently. One thing we could do is > > 1. Create a CTM port; 2. Put the deltas on a server other than > > official FreeBSD servers; 3. Host our own mailing lists. > > > > Honestly, I think the best thing to do is to close CTM. But if > > anyone else really wants CTM, and is willing to do (2) and (3), I > > can easily do (1). > > 1. One thing I can do is to keep the CTM deltas being generated, and > keep the following web page open: http://web.missouri.edu/~stephen/CTM/ > The only thing I cannot store are the svn-cur xEmpty files, because I I personally could live with that perfectly. > haven't been given enough space. I cannot maintain any kind of > mailing list. Also, since this web space belongs to the University of > Missouri, they might take it down some day. So one would have to check this web page to get the latest deltas? Well, that's fine as well. > > 2. I am sympathetic to the security concerns. Having seen the recent > security advisories, it seems to me that no-one can predict how some > odd bit of code on the side will one day become a problem. And I > think to do a full audit of the ctm code would be a lot of work. > > If we disconnect CTM from the FreeBSD project, and run it privately > from the side, then it doesn't decrease our security problems. But it > does decrease FreeBSD's potential security problems. And if the CTM > code gets hit by some weird virus (e.g. a forged email sending a delta > that lays your computers open to the world), the FreeBSD project won't > then get embarrassed. OK. Again fine for me. > > 3. I'm not so sympathetic to the issue of how much space the svn > repository takes. Disk space is so cheap these days. But presumably Right. But there are machines where you can't simply plug in a 2 TB SATA drive -- no matter if it costs 10 or 100 Euros. And if you have got several of these, you really start to love CTM ;-) -Andre > people who are concerned over that issue don't need the svn-cur CTM > deltas, and only want ports-cur or src-*. Then what I offer in point > (1) should be satisfactory. > > Stephen > _______________________________________________ > ctm-users@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/ctm-users > To unsubscribe, send any mail to "ctm-users-unsubscribe@freebsd.org" -- Jeder Projektmanager, der glaubt, Projekte zu managen, der glaubt auch, dass Zitronenfalter Zitronen falten.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20150820044747.GB18686>