Recent security announcement and csup/cvsup?
b. f.
bf1783 at googlemail.com
Sun Nov 18 20:28:29 UTC 2012
On 11/18/12, Gary Palmer <gpalmer at freebsd.org> wrote:
> On Sat, Nov 17, 2012 at 05:07:16PM +0100, M. Schulte wrote:
>> Hi,
>>
>> > Can someone explain why the cvsup/csup infrastructure is considered
>> > insecure [...]
>>
>> Speaking of cvsup security -- correct me if I'm wrong, but as far as I
>> know cvsup is generally vulnerable to man-in-the-attacks[0]. Hence I'd
>> be very happy about more and more people moving over to the portsnap
>> camp.
>>
>> Best,
>> mel
>>
>> [0] http://en.wikipedia.org/wiki/Portsnap
>>
>> http://unix.derkeiler.com/Mailing-Lists/FreeBSD/stable/2003-11/0287.html
>
> While I haven't investigated its protocol in detail, I would tend to
> suspect
> that svn is just as vulnerable as AFAIK the FreeBSD SVN servers are running
> in clear text mode. And yet we are being pushed towards SVN for source
> access instead of cvsup.
For the base system, and for projects, you should be able to use:
https://svn0.us-west.FreeBSD.org/
https://svn0.us-east.FreeBSD.org/
Unfortunately, AFAIK, the ports tree is not yet available via this
interface. (You could use a script and a https client with
https://svnweb.FreeBSD.org/ports , but this isn't very convenient.)
>
> portsnap is great if you can use the official ports tree without local
> modifications. If you need to patch some ports locally (for whatever
> reason) then I believe it is less helpful. cvs/svn let you update your
> local
> ports tree while keeping your local changes.
True. There are workarounds, but they're a bit awkward. CTM+PGP is
only slightly more convenient in this regard.
>
> In other words: while signed updates via freebsd-update and portsnap
> are great for a good chunk of users, they don't address everyones needs.
>
b.
More information about the freebsd-security
mailing list