Recent security announcement and csup/cvsup?
Chris Rees
utisoft at gmail.com
Sat Nov 17 15:14:02 UTC 2012
On 17 Nov 2012 15:06, "Gary Palmer" <gpalmer at freebsd.org> wrote:
>
> Hi,
>
> Can someone explain why the cvsup/csup infrastructure is considered
insecure
> if the person had access to the *package* building cluster? Is it because
> the leaked key also had access to something in the chain that goes to
cvsup,
> or is it because the project is not auditing the cvsup system and so the
> default assumption is that it cannot be trusted to not be compromised?
>
> If it is the latter, someone from the community could check rather than
> encourage everyone who has been using csup/cvsup to wipe and reinstall
> their boxes. Unfortunately the wipe option is not possible for me right
> now and my backups do go back to before the 19th of September
Checks are being made, but CVS makes it slow work.
It's incredibly unlikely that there will be a problem, but the Project has
to be cautious in recommendations.
Chris
More information about the freebsd-security
mailing list