From owner-freebsd-security@FreeBSD.ORG  Mon Apr 14 05:24:48 2014
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id F411B95B;
 Mon, 14 Apr 2014 05:24:47 +0000 (UTC)
Received: from anubis.delphij.net (anubis.delphij.net [64.62.153.212])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "anubis.delphij.net",
 Issuer "StartCom Class 1 Primary Intermediate Server CA" (not verified))
 by mx1.freebsd.org (Postfix) with ESMTPS id CA34111FD;
 Mon, 14 Apr 2014 05:24:47 +0000 (UTC)
Received: from delphij-macbook.local (c-24-5-244-32.hsd1.ca.comcast.net
 [24.5.244.32])
 (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits))
 (Client did not present a certificate)
 by anubis.delphij.net (Postfix) with ESMTPSA id DD52573CC;
 Sun, 13 Apr 2014 22:24:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=delphij.net;
 s=anubis; t=1397453087;
 bh=1wglqrEUC6/wNdxhq+WA1XXaqcNtFu4R9/eX8wiXcDA=;
 h=Date:From:Reply-To:To:CC:Subject:References:In-Reply-To;
 b=Z4wCyxX3QRidVFleBzPQ9wLmlliqyCkfgiDjvC30j7jvz95qkxRFwP7n28ruLotWR
 cUwKhs4FuzAd2wlRVoaQF43MH/Ehmdw3lAh7Vmf72fkWSTYlyF5LoAIar+jZZJ4CPK
 mj35jUX1vlXfMhWzUJSPyMzn/+4JKjlxL7v16ilk=
Message-ID: <534B711D.5060109@delphij.net>
Date: Sun, 13 Apr 2014 22:24:45 -0700
From: Xin Li <delphij@delphij.net>
Organization: The FreeBSD Project
MIME-Version: 1.0
To: David.I.Noel@gmail.com, =?ISO-8859-1?Q?Dag-Erling_Sm=F8rgrav?= <des@des.no>
Subject: Re: Retiring portsnap [was MITM attacks against portsnap and
 freebsd-update]
References: <CAHAXwYCGkP-o0VvMXj5S8-KNA45aTvy+srjDL_=8-x9Dza5z5Q@mail.gmail.com>
 <53472B7F.5090001@FreeBSD.org>
 <CAHAXwYDdxbRimwjvPf+5odYUUN4u4rNzdEkEmWwZN97mi1riEg@mail.gmail.com>
 <53483074.1050100@delphij.net>
 <CAHAXwYDhxmEwxtBLyZF1R1F8XENsq4FbpzVy89BN8f+RYU74KA@mail.gmail.com>
 <44bnw5uwmm.fsf@lowell-desk.lan>
 <CAHAXwYBDWEUH2yDR59Aurbsrjn4W0JAH87Qk7Oumncwagu45Bg@mail.gmail.com>
 <86zjjosxyy.fsf@nine.des.no>
 <CAHAXwYBWScbTOkdYFDRrh0faKb3BjX2gXmWhNbG-Gjfn4DLf0A@mail.gmail.com>
 <CAHAXwYCYq6_S6P3Z56LNdpVgUj2y53U0Xd3_aOQfXECQ73FzJQ@mail.gmail.com>
In-Reply-To: <CAHAXwYCYq6_S6P3Z56LNdpVgUj2y53U0Xd3_aOQfXECQ73FzJQ@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Cc: Lowell Gilbert <freebsd-security-local@be-well.ilk.org>,
 freebsd-security@freebsd.org, security@freebsd.org
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.17
Precedence: list
Reply-To: d@delphij.net
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Apr 2014 05:24:48 -0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 4/13/14, 10:04 PM, David Noel wrote:
> On 4/13/14, David Noel <david.i.noel@gmail.com> wrote:
>>> So by your definition, every single Apache server on the planet
>>> runs "a closed source fork of the open source Apache project"
>>> because they do not use the exact same httpd.conf?
>> 
>> Ah, you're right. That's from build.conf. My mistake.
> 
> Though if it's using spiped I'm not sure how it would doing that
> from purely a config file change.

Let's focus on the more important points :)

To answer your question -- The actual portsnap build server setup is
more complex than the one in svn repository.  Using spiped needs the
other side of server (which serves svn repository).  So no, it's not a
pure configuration change, but a configuration change plus other setup
to support it.

That's said, we can confidently say "Yes" if the question is whether
portsnap build server have trustworthy direct access to FreeBSD ports
subversion repository.  No MITM attack can happen without being
noticed almost immediately in this chain.

The other points you have raised are more important, though.

One thing that we can easily implement to mitigate the freeze attack
would probably to make portsnap snapshots expire after a reasonable
amount of time (that is, publish a timestamp signed with the portsnap
key, e.g. expires after 4 hours, so instead of "No updates found" you
get "Snapshot was expired, something bad happen"), but that only
narrows down the window and does not fully eliminate it.

For freebsd-update I don't have a good idea at this time for the
freeze attack.

Cheers,
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJTS3EdAAoJEJW2GBstM+nss60P/1nHbnjp09Qmtev6zGUJv979
yKNZNYTKY8wLtVrA/Y/nasW7oWwf37etFRrBiLds22F2wDRAVobEUVURoYAJJKMp
+QRcQPaxMVPU5rZnF1+eHqp+n8LeTCfWrIaoHM3yeW/xD8O2tBgG7+YdOcIzCud8
OR3bOPwToebMnjck00fmYE8bxMs2vzJrDZCaY7b+6jrbNVbnPBZIywB50QaaaQih
+I8Qekg6zBGWXciGaVISKMUTcAVXGFhN3qxsRisBvIxIOzBeho/EwwW+3ZW0LxfY
4pZouf6++HOhSh4Jf++TtgPjwmBgFWeZxTvTtag3VzEun9KXqVGvKQnUUj508Te/
GJA/pPAIDOqvxwaVi47EZD5aVd3xmgIUy/a1x8PS+iN3REvqh+y4dOYlTl2GqG7+
5piWBygC+tqGV5oiXLKdzqnshN5KxY+lX3aCfXWlXEtH6Nnb8C+GmyA46XzNqP6N
WYAmKPqC9Zv+z0nYJxy+nNoDpAiMmj/BjhtBkDSkEYoHx8d4bT5YUotiX43V2lnZ
duJPyLbXfk4gUi7UrezOu3rQ2Cxxw/adsklVxKiEb6vzFby2+0C/PS8dOX12Gw1R
XJ6vgviXjjxGQnuhyRf+7gyXEBZ5Hpk6B2Yfbt8+WORwnREk1anp0SsrJ4llBO0M
AWwM/g92+yToCsP7CC4D
=YOTq
-----END PGP SIGNATURE-----