Date: Sat, 17 Nov 2012 10:05:57 -0500 From: Gary Palmer <gpalmer@freebsd.org> To: freebsd-security@freebsd.org Subject: Recent security announcement and csup/cvsup? Message-ID: <20121117150556.GE24320@in-addr.com>
next in thread | raw e-mail | index | archive | help
Hi, Can someone explain why the cvsup/csup infrastructure is considered insecure if the person had access to the *package* building cluster? Is it because the leaked key also had access to something in the chain that goes to cvsup, or is it because the project is not auditing the cvsup system and so the default assumption is that it cannot be trusted to not be compromised? If it is the latter, someone from the community could check rather than encourage everyone who has been using csup/cvsup to wipe and reinstall their boxes. Unfortunately the wipe option is not possible for me right now and my backups do go back to before the 19th of September Thanks Gary
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20121117150556.GE24320>