Retiring portsnap [was MITM attacks against portsnap and freebsd-update]

[David Noel]

>> If you look at the portsnap build code you'll see that the first
>> thing portsnap does is pull the ports tree from Subversion. It uses
>> the URL svn://svn.freebsd.org/ports. By not using ssl or svn+ssh
>> the entire ports archive is exposed to corruption right from the
>> start.
>
> Just to clarify -- this is not entirely true.  I have double checked
> and confirmed that the snapshot builder of portsnap at FreeBSD.org
> uses svn over spiped transport.
>
> The configuration on svn do not necessarily reflect what's running in
> production (however you brought a very good point that it's a good
> idea to bring them public assuming there is no sensitive information
> in them so anyone can review them).

Thanks for checking on that. I don't have production access so I could
only assume that what was in /user/cperciva/portsnap-build was what we
were running. I'm surprised to find out that it's not.

My main point was that if you don't trust Subversion it makes no sense
to say you trust portsnap. Portsnap pulls the ports tree from
Subversion. Using Subversion! The portsnap system relies on the trust
of both svnadmin and svn. Just as it does when you run svn co and svn
up. If you say you don't trust Subversion, essentially what you're
saying is that you don't trust anything running on your computer.

> you brought a very good point that it's a good
> idea to bring them public assuming there is no sensitive information
> in them so anyone can review them).

Thank you. I hope something comes of this conversation. I have no
access to production so for these sorts of things all I can do is mail
this list and hope that someone makes the requested changes.