please test: Secure ports tree updating
Bertrand JUGLAS
bertux at frenchcube.net
Wed Oct 27 00:42:07 PDT 2004
Colin Percival wrote:
> CVSup is slow, insecure, and a memory hog. However, until now
> it's been the only option for keeping an up-to-date ports tree,
> and (thanks to all of the recent work on vuxml and portaudit)
> it has become quite obvious that keeping an up-to-date ports
> tree is very important.
>
> To provide a secure, lightweight, and fast alternative to CVSup,
> I've written portsnap. As the name suggests, this is a system
> for building, *signing*, and distributing compressed snapshots
> of the ports tree, which can then be extracted into /usr/ports
> as needed.
>
> Portsnap is:
> * Lightweight. It's a 15kB shell script which uses under 50kB
> of other binaries.
> * Designed for frequent updating. Unlike CVSup, it doesn't
> need to transmit a complete list of files in the ports tree each
> time it runs; in fact, if there are no updates available, it only
> needs to fetch a single file of 256 bytes.
> * Secure. Using code from FreeBSD Update, the ports snapshots
> are signed using a 2048-bit RSA key.
> * HTTP-only. That's right, you don't need to beg your network
> maintainer to allow outgoing connections on port 5999 any more. :-)
>
> Right now I'm only building snapshots once per day, but after
> this has had some testing I'll increase that to once every 1-2
> hours. Similarly, portsnap isn't in the ports tree yet, but it
> will appear there once I'm satisfied with the testing that it
> has received.
>
> So please go and test! Portsnap can be downloaded from
> http://www.daemonology.net/portsnap/
>
> Colin Percival
> PS. I'm not sure how many testers this message is going to elicit,
> nor how much bandwidth portsnap.daemonology.net can comfortably
> handle. I may come back tomorrow and ask for some mirrors. :-)
> _______________________________________________
> freebsd-security at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to
> "freebsd-security-unsubscribe at freebsd.org"
I'm going to test it on a fresh FreeBSD 4.10-RELEASE install and if the
download file size is small i will mirror it on my website.
I will later post results from my testing.
i hope to read from you soon,
Bertrand Juglas
More information about the freebsd-security
mailing list