Secure updating of OS and ports
M. Warner Losh
imp at bsdimp.com
Tue Nov 18 08:33:32 PST 2003
In message: <xzp7k1yxdev.fsf at dwp.des.no>
des at des.no (Dag-Erling Smørgrav) writes:
: Colin Percival <colin.percival at wadham.ox.ac.uk> writes:
: > At 06:02 17/11/2003 -0800, Carol Overes wrote:
: > > I'm thinking of updating kernel and binaries with
: > > patches form ftp.freebsd.org which are siganed with
: > > the PGP key of the security officers. However, this
: > > has to be hand-made patching. Does anyone know a
: > > secure way via for example cvsup ?
: > CVSup is insecure. FreeBSD Update might do what you want, but
: > you'd have to trust me. :)
:
: ...and three-hundred-odd FreeBSD developers.
:
: At some point you just have to stop doubting and start trusting.
cvsup is secure from everything except man in the middle or
redirection attacks. When you run cvsup over an ssh-tunnel, you can
solve these problems if you trust the cvsup running on the localhost
you ssh to.
Warner
More information about the freebsd-stable
mailing list