Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 26 Oct 2004 16:11:35 -0400
From:      Jason DiCioccio <jd@ods.org>
To:        Colin Percival <colin.percival@wadham.ox.ac.uk>, freebsd-ports@freebsd.org
Cc:        freebsd-security@freebsd.org
Subject:   Re: please test: Secure ports tree updating
Message-ID:  <9BBE3B5561450CAF8EE94788@[10.102.0.67]>
In-Reply-To: <417EAC7E.2040103@wadham.ox.ac.uk>
References:  <417EAC7E.2040103@wadham.ox.ac.uk>

next in thread | previous in thread | raw e-mail | index | archive | help
Colin,
  This sounds great.  If you do end up needing a mirror, feel free to email 
me.  I have a couple of servers on different connections (10/100mbit) that 
I might be able to donate to your cause.  In the mean time, I'm going to 
give it a shot..

Regards,
-JD-

--On Tuesday, October 26, 2004 20:58:54 +0100 Colin Percival 
<colin.percival@wadham.ox.ac.uk> wrote:

> CVSup is slow, insecure, and a memory hog.  However, until now
> it's been the only option for keeping an up-to-date ports tree,
> and (thanks to all of the recent work on vuxml and portaudit)
> it has become quite obvious that keeping an up-to-date ports
> tree is very important.
>
> To provide a secure, lightweight, and fast alternative to CVSup,
> I've written portsnap.  As the name suggests, this is a system
> for building, *signing*, and distributing compressed snapshots
> of the ports tree, which can then be extracted into /usr/ports
> as needed.
>
> Portsnap is:
>   * Lightweight.  It's a 15kB shell script which uses under 50kB
> of other binaries.
>   * Designed for frequent updating.  Unlike CVSup, it doesn't
> need to transmit a complete list of files in the ports tree each
> time it runs; in fact, if there are no updates available, it only
> needs to fetch a single file of 256 bytes.
>   * Secure.  Using code from FreeBSD Update, the ports snapshots
> are signed using a 2048-bit RSA key.
>   * HTTP-only.  That's right, you don't need to beg your network
> maintainer to allow outgoing connections on port 5999 any more. :-)
>
> Right now I'm only building snapshots once per day, but after
> this has had some testing I'll increase that to once every 1-2
> hours.  Similarly, portsnap isn't in the ports tree yet, but it
> will appear there once I'm satisfied with the testing that it
> has received.
>
> So please go and test!  Portsnap can be downloaded from
> http://www.daemonology.net/portsnap/
>
> Colin Percival
> PS. I'm not sure how many testers this message is going to elicit,
> nor how much bandwidth portsnap.daemonology.net can comfortably
> handle.  I may come back tomorrow and ask for some mirrors. :-)
> _______________________________________________
> freebsd-security@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to
> "freebsd-security-unsubscribe@freebsd.org"






Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?9BBE3B5561450CAF8EE94788>