From owner-freebsd-security@FreeBSD.ORG Tue Oct 26 19:58:57 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 498BE16A4CE for ; Tue, 26 Oct 2004 19:58:57 +0000 (GMT) Received: from tx1.mail.ox.ac.uk (tx1.mail.ox.ac.uk [129.67.1.167]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2444143D49 for ; Tue, 26 Oct 2004 19:58:56 +0000 (GMT) (envelope-from colin.percival@wadham.ox.ac.uk) Received: from scan1.mail.ox.ac.uk ([129.67.1.166] helo=localhost) by tx1.mail.ox.ac.uk with esmtp (Exim 4.42) id 1CMXT4-000270-6E for freebsd-security@freebsd.org; Tue, 26 Oct 2004 20:58:54 +0100 Received: from rx1.mail.ox.ac.uk ([129.67.1.165]) by localhost (scan1.mail.ox.ac.uk [129.67.1.166]) (amavisd-new, port 25) with ESMTP id 08069-02 for ; Tue, 26 Oct 2004 20:58:54 +0100 (BST) Received: from gateway.wadham.ox.ac.uk ([163.1.161.253]) by rx1.mail.ox.ac.uk with smtp (Exim 4.42) id 1CMXT4-00026x-5W for freebsd-security@freebsd.org; Tue, 26 Oct 2004 20:58:54 +0100 Received: (qmail 11641 invoked by uid 1004); 26 Oct 2004 19:58:54 -0000 Received: from colin.percival@wadham.ox.ac.uk by gateway by uid 71 with qmail-scanner-1.20 (clamscan: 0.67. sweep: 2.18/3.79. Clear:RC:1(163.1.161.203):. Processed in 0.016569 secs); 26 Oct 2004 19:58:54 -0000 Received: from dhcp1203.wadham.ox.ac.uk (HELO ?163.1.161.203?) (163.1.161.203) by gateway.wadham.ox.ac.uk with SMTP; 26 Oct 2004 19:58:54 -0000 Message-ID: <417EAC7E.2040103@wadham.ox.ac.uk> Date: Tue, 26 Oct 2004 20:58:54 +0100 From: Colin Percival User-Agent: Mozilla Thunderbird 0.7.3 (X11/20040928) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-ports@freebsd.org Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-security@freebsd.org Subject: please test: Secure ports tree updating X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Oct 2004 19:58:57 -0000 CVSup is slow, insecure, and a memory hog. However, until now it's been the only option for keeping an up-to-date ports tree, and (thanks to all of the recent work on vuxml and portaudit) it has become quite obvious that keeping an up-to-date ports tree is very important. To provide a secure, lightweight, and fast alternative to CVSup, I've written portsnap. As the name suggests, this is a system for building, *signing*, and distributing compressed snapshots of the ports tree, which can then be extracted into /usr/ports as needed. Portsnap is: * Lightweight. It's a 15kB shell script which uses under 50kB of other binaries. * Designed for frequent updating. Unlike CVSup, it doesn't need to transmit a complete list of files in the ports tree each time it runs; in fact, if there are no updates available, it only needs to fetch a single file of 256 bytes. * Secure. Using code from FreeBSD Update, the ports snapshots are signed using a 2048-bit RSA key. * HTTP-only. That's right, you don't need to beg your network maintainer to allow outgoing connections on port 5999 any more. :-) Right now I'm only building snapshots once per day, but after this has had some testing I'll increase that to once every 1-2 hours. Similarly, portsnap isn't in the ports tree yet, but it will appear there once I'm satisfied with the testing that it has received. So please go and test! Portsnap can be downloaded from http://www.daemonology.net/portsnap/ Colin Percival PS. I'm not sure how many testers this message is going to elicit, nor how much bandwidth portsnap.daemonology.net can comfortably handle. I may come back tomorrow and ask for some mirrors. :-)