please test: Secure ports tree updating

Bertrand JUGLAS bertux at frenchcube.net
Wed Oct 27 00:42:07 PDT 2004


Colin Percival wrote:

> CVSup is slow, insecure, and a memory hog.  However, until now
> it's been the only option for keeping an up-to-date ports tree,
> and (thanks to all of the recent work on vuxml and portaudit)
> it has become quite obvious that keeping an up-to-date ports
> tree is very important.
>
> To provide a secure, lightweight, and fast alternative to CVSup,
> I've written portsnap.  As the name suggests, this is a system
> for building, *signing*, and distributing compressed snapshots
> of the ports tree, which can then be extracted into /usr/ports
> as needed.
>
> Portsnap is:
>  * Lightweight.  It's a 15kB shell script which uses under 50kB
> of other binaries.
>  * Designed for frequent updating.  Unlike CVSup, it doesn't
> need to transmit a complete list of files in the ports tree each
> time it runs; in fact, if there are no updates available, it only
> needs to fetch a single file of 256 bytes.
>  * Secure.  Using code from FreeBSD Update, the ports snapshots
> are signed using a 2048-bit RSA key.
>  * HTTP-only.  That's right, you don't need to beg your network
> maintainer to allow outgoing connections on port 5999 any more. :-)
>
> Right now I'm only building snapshots once per day, but after
> this has had some testing I'll increase that to once every 1-2
> hours.  Similarly, portsnap isn't in the ports tree yet, but it
> will appear there once I'm satisfied with the testing that it
> has received.
>
> So please go and test!  Portsnap can be downloaded from
> http://www.daemonology.net/portsnap/
>
> Colin Percival
> PS. I'm not sure how many testers this message is going to elicit,
> nor how much bandwidth portsnap.daemonology.net can comfortably
> handle.  I may come back tomorrow and ask for some mirrors. :-)
> _______________________________________________
> freebsd-security at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to 
> "freebsd-security-unsubscribe at freebsd.org"

I'm going to test it on a fresh FreeBSD 4.10-RELEASE install and if the 
download file size is small i will mirror it on my website.
I will later post results from my testing.
i hope to read from you soon,
Bertrand Juglas


More information about the freebsd-security mailing list