Recent security announcement and csup/cvsup?
David Thiel
lx at FreeBSD.org
Sat Nov 17 23:53:40 UTC 2012
On Sat, Nov 17, 2012 at 10:05:33AM -0500, Gary Palmer wrote:
> Can someone explain why the cvsup/csup infrastructure is considered insecure
> if the person had access to the *package* building cluster? Is it because
> the leaked key also had access to something in the chain that goes to cvsup,
> or is it because the project is not auditing the cvsup system and so the
> default assumption is that it cannot be trusted to not be compromised?
Regardless of the circumstances of the incident, use of cvsup/csup has
always been horrendously dangerous. People should regard any code
retrieved over this channel to have been potentially compromised by a
network attacker.
Portsnap. Srsly.
-David
More information about the freebsd-security
mailing list