Secure updating of OS and ports
Steve O'Hara-Smith
steve at sohara.org
Tue Nov 18 11:41:05 PST 2003
On Tue, 18 Nov 2003 16:42:52 +0000
Colin Percival <colin.percival at wadham.ox.ac.uk> wrote:
...
CP> segments on which the above reside. It's *almost* as secure as http
CP> -- but not quite, since the mirror system provides another point of
CP> attack.
CP> If everyone used ssh tunnels to cvsup-master, this wouldn't be an
CP> issue... but that isn't an option.
You could raise the bar by pulling the repository from one mirror
and the source tree from another and doing a cvs diff. Refer to the
mirrors by IP address to push the DNS issue out of the way. Confirm
connections with netstat -anf inet once established. Wait 24 hours
before deploying - if anything got through that lot it is likely to be
widespread and noticed or someone very determined who has it in for you.
--
C:>WIN | Directable Mirrors
The computer obeys and wins. |A Better Way To Focus The Sun
You lose and Bill collects. | licenses available - see:
| http://www.sohara.org/
More information about the freebsd-stable
mailing list