Secure updating of OS and ports

Steve O'Hara-Smith steve at
Tue Nov 18 11:41:05 PST 2003

On Tue, 18 Nov 2003 16:42:52 +0000
Colin Percival <colin.percival at> wrote:

CP> segments on which the above reside.  It's *almost* as secure as http
CP> -- but not quite, since the mirror system provides another point of
CP> attack.
CP>    If everyone used ssh tunnels to cvsup-master, this wouldn't be an 
CP> issue... but that isn't an option.

	You could raise the bar by pulling the repository from one mirror
and the source tree from another and doing a cvs diff. Refer to the
mirrors by IP address to push the DNS issue out of the way. Confirm
connections with netstat -anf inet once established. Wait 24 hours
before deploying - if anything got through that lot it is likely to be
widespread and noticed or someone very determined who has it in for you.

C:>WIN                                      |     Directable Mirrors
The computer obeys and wins.                |A Better Way To Focus The Sun
You lose and Bill collects.                 |  licenses available - see:

More information about the freebsd-stable mailing list