MITM attacks against portsnap and freebsd-update
Christian Weisgerber
naddy at mips.inka.de
Thu Apr 17 16:37:27 UTC 2014
On 2014-04-11, Matthew Rezny <matthew at reztek.cz> wrote:
> I agree portsnap could be replaced, but SVNlite isn't the answer. Instead, I
> suggest rsync. Rsync is fast to do the initial fetch and even faster to do the
> update.
Rsync performs poorly with large directory trees. Each run, it
stat(2)s every file, bringing the server to its knees.
*The* feature of CVSup was that it cached this meta data.
> in addition to, SSL/TLS support for the TCP connection, the trees could be
> fetched not as thousand of files, but as a couple tar files (src.tar and
> ports.tar), the hashes of which could be verified before extraction. Those tar
> files should be uncompressed in order to allow the rsync algorithm to work its
> magic during updates.
I'm not sure how that scales. Poorly unless the server can hold
the file completely in memory, would be my guess.
--
Christian "naddy" Weisgerber naddy at mips.inka.de
More information about the freebsd-hackers
mailing list