svn checkout "head" or "stable"
David Noel
david.i.noel at gmail.com
Fri Sep 28 21:01:46 UTC 2012
On 9/28/12, Matthew Seaman <matthew at freebsd.org> wrote:
> On 28/09/2012 20:41, Ed Flecko wrote:
>> David - I'd like to, but every time I try that it prompts me for a
>> password...and I don't know what password it wants???
>
> That would be the password to a freebsd.org account, which isn't going
> to work for most people on two counts:
>
> * freebsd.org uses SSH keys for authentication, not passwords.
>
> * even if you've got a SSH key, not being a FreeBSD committer you
> probably don't have a freebsd.org account.
>
> For anonymous access, you can use http or svn. Given that anonymous
> access is read-only, there's really not much to be gained from SSH or
> other means of encrypting the connection, either for you, or for the
> FreeBSD servers. It's anonymous, so you don't care about
> authentication. FreeBSD sources are publicly available, so you don't
> care about anyone eavesdropping on the traffic. About the only thing
> you're still exposed to is a man-in-the-middle attack, where someone
> could pose as a FreeBSD server and feed you a trojanned set of sources
> -- but then, you'ld still be exposed in exactly the same way even using
> svn+ssh. In practice, attacks of this type are very (pretty much
> vanishingly) rare. If they do concern you, then use portsnap(8) /
> freebsd-update(8) which has specific cryptographic protection against
> such things. The portsnap and freebsd-update build systems also have
> special access to the master FreeBSD repositories to minimize the
> chances that they themselves could be fed trojanned sources.
>
> Cheers,
>
> Matthew
>
> --
> Dr Matthew J Seaman MA, D.Phil.
> PGP: http://www.infracaninophile.co.uk/pgpkey
MITM-based attacks--and subsequent corrupted sources--are my concern.
It was my understanding that anonymous svn+ssh would prevent this
assuming the host key was properly verified against
http://www.freebsd.org/internal/ssh-keys.asc.
Recently I've installed from an iso and then manually updated with
pgp-signed security patches. It would certainly be nice to have some
secure source update mechanism though.
More information about the freebsd-questions
mailing list