Retiring portsnap [was MITM attacks against portsnap and freebsd-update]

[Chad Perrin]

On Mon, Apr 14, 2014 at 12:36:28AM -0500, David Noel wrote:
> > Indeed it is not.  David's solution - which seems to amount to removing
> > portsnap and herding the cats at home to DTRT about using svn securely -
> > relies on other cats being as smart and aware of the ramifications as he
> > is - a highly questionable proposition especially for the numerous more
> > naive users that portsnap renders the process of securely upgrading the
> > ports tree just about as simple and consistent as it can be.
> 
> On the one hand I do get what you're saying. On the other I don't know
> that you're fairly characterizing the typical portsnap user. Building
> ports from source is not something I would think a novice FreeBSD user
> would do (make can be--and often is--an absolute nightmare!). Rather,
> I would imagine a novice would be using something like pkgng.

When I was a novice FreeBSD user, lo these many many moons ago when the
world was young and neckbearded Unix gods roamed the earth, I installed
from source using the ports system.


> >
> > David, perhaps your obvious talent for auditing the portsnap code and
> > its server-side configuration might be better applied to remedying any
> > perceived vulnerabilities in conjunction with present and past security
> > officers and teams?
> 
> Thanks. I'm happy to, and it's on my to-do list, the only problem is
> that I'm swamped with other projects and it's been sitting on that
> list for the past 2 years. It seems to be a similar problem for Colin
> and the Security Team. I'm hoping that by bringing this bug to the
> list that someone with more free time will be able to patch it.

Would you be willing to put the time into training up someone to do that
work?  I'm a bit of a fixer-upper, but I am willing and eager to
contribute.

-- 
Chad Perrin [ original content licensed OWL: http://owl.apotheon.org ]