Date: Tue, 26 Oct 2004 20:58:54 +0100 From: Colin Percival <colin.percival@wadham.ox.ac.uk> To: freebsd-ports@freebsd.org Cc: freebsd-security@freebsd.org Subject: please test: Secure ports tree updating Message-ID: <417EAC7E.2040103@wadham.ox.ac.uk>
next in thread | raw e-mail | index | archive | help
CVSup is slow, insecure, and a memory hog. However, until now it's been the only option for keeping an up-to-date ports tree, and (thanks to all of the recent work on vuxml and portaudit) it has become quite obvious that keeping an up-to-date ports tree is very important. To provide a secure, lightweight, and fast alternative to CVSup, I've written portsnap. As the name suggests, this is a system for building, *signing*, and distributing compressed snapshots of the ports tree, which can then be extracted into /usr/ports as needed. Portsnap is: * Lightweight. It's a 15kB shell script which uses under 50kB of other binaries. * Designed for frequent updating. Unlike CVSup, it doesn't need to transmit a complete list of files in the ports tree each time it runs; in fact, if there are no updates available, it only needs to fetch a single file of 256 bytes. * Secure. Using code from FreeBSD Update, the ports snapshots are signed using a 2048-bit RSA key. * HTTP-only. That's right, you don't need to beg your network maintainer to allow outgoing connections on port 5999 any more. :-) Right now I'm only building snapshots once per day, but after this has had some testing I'll increase that to once every 1-2 hours. Similarly, portsnap isn't in the ports tree yet, but it will appear there once I'm satisfied with the testing that it has received. So please go and test! Portsnap can be downloaded from http://www.daemonology.net/portsnap/ Colin Percival PS. I'm not sure how many testers this message is going to elicit, nor how much bandwidth portsnap.daemonology.net can comfortably handle. I may come back tomorrow and ask for some mirrors. :-)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?417EAC7E.2040103>