From owner-freebsd-security@FreeBSD.ORG  Mon Apr 14 05:09:43 2014
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 6FE01798
 for <freebsd-security@freebsd.org>; Mon, 14 Apr 2014 05:09:43 +0000 (UTC)
Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [115.70.110.159])
 (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id DCA6E10A9
 for <freebsd-security@freebsd.org>; Mon, 14 Apr 2014 05:09:42 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id s3E59OsS043832;
 Mon, 14 Apr 2014 15:09:24 +1000 (EST)
 (envelope-from smithi@nimnet.asn.au)
Date: Mon, 14 Apr 2014 15:09:24 +1000 (EST)
From: Ian Smith <smithi@nimnet.asn.au>
To: Lowell Gilbert <freebsd-security-local@be-well.ilk.org>
Subject: Re: Retiring portsnap [was MITM attacks against portsnap and
 freebsd-update]
In-Reply-To: <44bnw5uwmm.fsf@lowell-desk.lan>
Message-ID: <20140414144155.C55844@sola.nimnet.asn.au>
References: <CAHAXwYCGkP-o0VvMXj5S8-KNA45aTvy+srjDL_=8-x9Dza5z5Q@mail.gmail.com>
 <53472B7F.5090001@FreeBSD.org>
 <CAHAXwYDdxbRimwjvPf+5odYUUN4u4rNzdEkEmWwZN97mi1riEg@mail.gmail.com>
 <53483074.1050100@delphij.net>
 <CAHAXwYDhxmEwxtBLyZF1R1F8XENsq4FbpzVy89BN8f+RYU74KA@mail.gmail.com>
 <44bnw5uwmm.fsf@lowell-desk.lan>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Cc: freebsd-security@freebsd.org, David.I.Noel@gmail.com
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Apr 2014 05:09:43 -0000

On Sun, 13 Apr 2014 10:33:53 -0400, Lowell Gilbert wrote:
 > David Noel <david.i.noel@gmail.com> writes:
 > 
 > > My main point was that if you don't trust Subversion it makes no sense
 > > to say you trust portsnap. Portsnap pulls the ports tree from
 > > Subversion. Using Subversion! The portsnap system relies on the trust
 > > of both svnadmin and svn. Just as it does when you run svn co and svn
 > > up. If you say you don't trust Subversion, essentially what you're
 > > saying is that you don't trust anything running on your computer.
 > 
 > You were talking about MITM attacks. Portsnap uses secured access for
 > getting updates out of Subversion, whereas doing "svn co" remotely
 > generally does not. This is not a trivial point.

Indeed it is not.  David's solution - which seems to amount to removing 
portsnap and herding the cats at home to DTRT about using svn securely - 
relies on other cats being as smart and aware of the ramifications as he 
is - a highly questionable proposition especially for the numerous more 
naive users that portsnap renders the process of securely upgrading the 
ports tree just about as simple and consistent as it can be.

David, perhaps your obvious talent for auditing the portsnap code and 
its server-side configuration might be better applied to remedying any
perceived vulnerabilities in conjunction with present and past security 
officers and teams?

cheers, Ian