MITM attacks against portsnap and freebsd-update

David Noel david.i.noel at
Sat May 24 03:42:52 UTC 2014

On 5/23/14, David Noel <david.i.noel at> wrote:
> On 5/20/14, Alnis Morics <alnis.morics at> wrote:
>> On 05/20/2014 09:51, n j wrote:
>>> On Tue, May 20, 2014 at 12:03 AM, David Noel <david.i.noel at>
>>> wrote:
>>>> On 5/19/14, Alnis Morics <alnis.morics at> wrote:
>>>>> On 05/19/2014 23:28, David Noel wrote:
>>>>>> I also think it would be an appropriate time to discuss retiring
>>>>>> portsnap.
>>>>> Subversion checkouts and updates take much more time than Porstnap.
>>>> My experience has been that both portsnap and svn update typically
>>>> take under a minute to complete.
>>>> Regardless, don't most people run this in the background with portsnap
>>>> cron?
>>> I don't. And I don't regularly update the ports tree.
>>> When you regularly update ports tree, the diffs svn update needs to pull
>>> are relatively small. When you update, say, once a month, portsnap in my
>>> experience gets the job done a lot quicker.
>>> My $.02,
>> Exactly. And "svn checkout" is incomparably slower than "portsnap fetch
>> extract".
> It wasn't a terribly popular suggestion on the security list either.
> It's unfortunate that svn doesn't work for your use case -- it was a
> painless transition for me. The proposal was based on a "least amount
> of work required" model. Now we're actually going to have to find
> someone who has the time free to patch portsnap!

Does anyone know what the requirements are for obtaining one of those
supercool email addresses? Would patching these bugs
qualify a person for one?

More information about the freebsd-questions mailing list