Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 13 Apr 2014 10:33:53 -0400
From:      Lowell Gilbert <freebsd-security-local@be-well.ilk.org>
To:        David.I.Noel@gmail.com
Cc:        freebsd-security@freebsd.org, security@freebsd.org
Subject:   Re: Retiring portsnap [was MITM attacks against portsnap and freebsd-update]
Message-ID:  <44bnw5uwmm.fsf@lowell-desk.lan>
In-Reply-To: <CAHAXwYDhxmEwxtBLyZF1R1F8XENsq4FbpzVy89BN8f%2BRYU74KA@mail.gmail.com> (David Noel's message of "Fri, 11 Apr 2014 15:23:01 -0500")
References:  <CAHAXwYCGkP-o0VvMXj5S8-KNA45aTvy%2BsrjDL_=8-x9Dza5z5Q@mail.gmail.com> <53472B7F.5090001@FreeBSD.org> <CAHAXwYDdxbRimwjvPf%2B5odYUUN4u4rNzdEkEmWwZN97mi1riEg@mail.gmail.com> <53483074.1050100@delphij.net> <CAHAXwYDhxmEwxtBLyZF1R1F8XENsq4FbpzVy89BN8f%2BRYU74KA@mail.gmail.com>

next in thread | previous in thread | raw e-mail | index | archive | help
David Noel <david.i.noel@gmail.com> writes:

> My main point was that if you don't trust Subversion it makes no sense
> to say you trust portsnap. Portsnap pulls the ports tree from
> Subversion. Using Subversion! The portsnap system relies on the trust
> of both svnadmin and svn. Just as it does when you run svn co and svn
> up. If you say you don't trust Subversion, essentially what you're
> saying is that you don't trust anything running on your computer.

You were talking about MITM attacks. Portsnap uses secured access for
getting updates out of Subversion, whereas doing "svn co" remotely
generally does not. This is not a trivial point.



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?44bnw5uwmm.fsf>