Date: Fri, 11 Apr 2014 11:12:04 -0700 From: Xin Li <delphij@delphij.net> To: David.I.Noel@gmail.com, Bryan Drewery <bdrewery@freebsd.org> Cc: freebsd-security@freebsd.org, secteam <secteam@freebsd.org>, security@freebsd.org Subject: Re: Retiring portsnap [was MITM attacks against portsnap and freebsd-update] Message-ID: <53483074.1050100@delphij.net> In-Reply-To: <CAHAXwYDdxbRimwjvPf%2B5odYUUN4u4rNzdEkEmWwZN97mi1riEg@mail.gmail.com> References: <CAHAXwYCGkP-o0VvMXj5S8-KNA45aTvy%2BsrjDL_=8-x9Dza5z5Q@mail.gmail.com> <53472B7F.5090001@FreeBSD.org> <CAHAXwYDdxbRimwjvPf%2B5odYUUN4u4rNzdEkEmWwZN97mi1riEg@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 04/11/14 09:08, David Noel wrote: >> Your report aside, I find portsnap to be far superior in security >> for ports and users. > > If you look at the portsnap build code you'll see that the first > thing portsnap does is pull the ports tree from Subversion. It uses > the URL svn://svn.freebsd.org/ports. By not using ssl or svn+ssh > the entire ports archive is exposed to corruption right from the > start. Just to clarify -- this is not entirely true. I have double checked and confirmed that the snapshot builder of portsnap at FreeBSD.org uses svn over spiped transport. The configuration on svn do not necessarily reflect what's running in production (however you brought a very good point that it's a good idea to bring them public assuming there is no sensitive information in them so anyone can review them). Cheers, - -- Xin LI <delphij@delphij.net> https://www.delphij.net/ FreeBSD - The Power to Serve! Live free or die -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (FreeBSD) iQIcBAEBCgAGBQJTSDB0AAoJEJW2GBstM+nsuWYP/1e49M6TfYQpDwr2ufOuF+a5 IfDcgRyFrW/aPEoJwF6zqCNCyz9HhBxyoj8UkHqp371gjq1SSeHm7mx3/Md10rFX Y9kwwVFNUelN3Xa4a158o2m3/rxWiJaloTLPI75q6WhQnXQlgxYmsqiPywiRXRUk 0jQI7OkzEa3f2ntC4oCEKdBkwPxpcI+FGFk7jI/1NofzPZpZqDxDXsgzRoWe1Xvc lH6uFOH3dxa6xGA2/zq9Av8NgqcS3ka9drcMrqWpMixWKT6btTjJ4hnqoZ2riFtO /FZ93TZs8Kydivk4N//qSR86a6T+Yg53zYMiSrobkOphTDk8ON4ooA8o689IWF1Y JZz20ROeTZ8BnEhK4TEm4yXGX3Py6DScfyklyFQfH3La8zOsZfYa1mwyy/9hYc/u xSZm4QKsQhKq4ou68UyFV1F2/gpEfrbYIpd4ybTnMpC8umE86tjBmFmCDoqf7uKW z5aKwdMQOa3CWSC0RrT9W55wNVO/R0YGM7qG5nqm1YjQajUGMlub2ntLiOTt3STT 2VMDHP7YzNRQU7SDbGCqA2NrVPur57I7uavHgEbKiwtKmuWWip1Nlyv3tyFZvwIZ 8X6pBpi1Ddj06Vy/KydKomn4zBvw1bZ4l/I55yF7/QAgbkW64brbdx/TGLmItHNP bclldphPPDj12yzaz1so =ofjA -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?53483074.1050100>