Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 17 Nov 2012 18:05:48 -0500 (EST)
From:      Trevor Johnson <trevor@jpj.net>
To:        freebsd-security@freebsd.org
Subject:   Re: Recent security announcement and csup/cvsup?
Message-ID:  <alpine.BSF.2.00.1211171758590.48317@blues>
In-Reply-To: <CADLo83-kcQWBUXwtWka5Sd%2BsNaDFGBxZuKbDN5g5ZDOf1cuGQw@mail.gmail.com>
References:  <20121117150556.GE24320@in-addr.com> <CADLo83-kcQWBUXwtWka5Sd%2BsNaDFGBxZuKbDN5g5ZDOf1cuGQw@mail.gmail.com>

next in thread | previous in thread | raw e-mail | index | archive | help
Chris Rees wrote:

> On 17 Nov 2012 15:06, "Gary Palmer" <gpalmer@freebsd.org> wrote:
>>
>> Hi,
>>
>> Can someone explain why the cvsup/csup infrastructure is considered
> insecure
>> if the person had access to the *package* building cluster?  Is it because
>> the leaked key also had access to something in the chain that goes to
> cvsup,
>> or is it because the project is not auditing the cvsup system and so the
>> default assumption is that it cannot be trusted to not be compromised?
>>
>> If it is the latter, someone from the community could check rather than
>> encourage everyone who has been using csup/cvsup to wipe and reinstall
>> their boxes.  Unfortunately the wipe option is not possible for me right
>> now and my backups do go back to before the 19th of September
>
> Checks are being made, but CVS makes it slow work.

It sounds as though someone is reading all the RCS files. Is that what's 
happening? As I understand it, the doc, ports and src CVS repositories are 
now being generated from Subversion. According to the Web page about the 
breach, the Subversion repos are known to be intact. If known-good CVS 
trees from the time of the switchover to Subversion are available, 
couldn't updated CVS repos be made by running svn_cvsinject as described 
at http://sam.zoy.org/writings/programming/svn2cvs.html ? It says:

         If your CVS repository ever gets corrupted, you can reinject every
         SVN commit by restoring your backuped CVS tree and calling
         svn_cvsinject again for every revision since you used cvs2svn.

It seems that this would be far less error-prone, and far less
labor-intensive, than eyeballing everything.

Is the plan to eventually shut down the anoncvs and CVsup services 
entirely? If so, shall the Gnats database be made available to the public 
through other means besides the query-pr CGI? I ask this after looking at 
http://www.freebsd.org/doc/en/articles/committers-guide/article.html#gnats 
.
-- 
Trevor Johnson



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?alpine.BSF.2.00.1211171758590.48317>