Retiring portsnap [was MITM attacks against portsnap and freebsd-update]
David Noel
david.i.noel at gmail.com
Sun Apr 13 21:07:12 UTC 2014
> Portsnap uses secured access for getting updates out of Subversion
The portsnap open source project pulls data insecurely using the url
svn://svn.freebsd.org.
The server-side code of the FreeBSD portsnap system -- a closed source
fork of the open source portsnap project -- happens to use secured
access for pulling data from svn. This is not a trivial point.
> whereas doing "svn co" remotely generally does not.
Without knowing usage statistics there is no way to describe a
"general" use case for `svn co`. The security of access of that
command is entirely dependent on how it is parameterized.
More information about the freebsd-security
mailing list