From owner-freebsd-security@FreeBSD.ORG Tue Oct 26 20:18:05 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 79C2216A4CE; Tue, 26 Oct 2004 20:18:05 +0000 (GMT) Received: from update.ods.org (221056.ds.nac.net [66.246.72.188]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2545243D1F; Tue, 26 Oct 2004 20:18:05 +0000 (GMT) (envelope-from jd@ods.org) Received: from localhost (221056.ds.nac.net [127.0.0.1]) by update.ods.org (Postfix) with ESMTP id 7E9269A98; Tue, 26 Oct 2004 16:18:04 -0400 (EDT) Received: from update.ods.org ([127.0.0.1]) by localhost (update.ods.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 52942-05; Tue, 26 Oct 2004 16:18:02 -0400 (EDT) Received: from [10.0.2.15] (unknown [66.246.72.188]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by update.ods.org (Postfix) with ESMTP id 4464B992A; Tue, 26 Oct 2004 16:18:02 -0400 (EDT) Date: Tue, 26 Oct 2004 16:11:35 -0400 From: Jason DiCioccio To: Colin Percival , freebsd-ports@freebsd.org Message-ID: <9BBE3B5561450CAF8EE94788@[10.102.0.67]> In-Reply-To: <417EAC7E.2040103@wadham.ox.ac.uk> References: <417EAC7E.2040103@wadham.ox.ac.uk> X-Mailer: Mulberry/3.1.3 (Linux/x86) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Virus-Scanned: by amavisd-new at ods.org X-Mailman-Approved-At: Wed, 27 Oct 2004 12:45:38 +0000 cc: freebsd-security@freebsd.org Subject: Re: please test: Secure ports tree updating X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Oct 2004 20:18:05 -0000 Colin, This sounds great. If you do end up needing a mirror, feel free to email me. I have a couple of servers on different connections (10/100mbit) that I might be able to donate to your cause. In the mean time, I'm going to give it a shot.. Regards, -JD- --On Tuesday, October 26, 2004 20:58:54 +0100 Colin Percival wrote: > CVSup is slow, insecure, and a memory hog. However, until now > it's been the only option for keeping an up-to-date ports tree, > and (thanks to all of the recent work on vuxml and portaudit) > it has become quite obvious that keeping an up-to-date ports > tree is very important. > > To provide a secure, lightweight, and fast alternative to CVSup, > I've written portsnap. As the name suggests, this is a system > for building, *signing*, and distributing compressed snapshots > of the ports tree, which can then be extracted into /usr/ports > as needed. > > Portsnap is: > * Lightweight. It's a 15kB shell script which uses under 50kB > of other binaries. > * Designed for frequent updating. Unlike CVSup, it doesn't > need to transmit a complete list of files in the ports tree each > time it runs; in fact, if there are no updates available, it only > needs to fetch a single file of 256 bytes. > * Secure. Using code from FreeBSD Update, the ports snapshots > are signed using a 2048-bit RSA key. > * HTTP-only. That's right, you don't need to beg your network > maintainer to allow outgoing connections on port 5999 any more. :-) > > Right now I'm only building snapshots once per day, but after > this has had some testing I'll increase that to once every 1-2 > hours. Similarly, portsnap isn't in the ports tree yet, but it > will appear there once I'm satisfied with the testing that it > has received. > > So please go and test! Portsnap can be downloaded from > http://www.daemonology.net/portsnap/ > > Colin Percival > PS. I'm not sure how many testers this message is going to elicit, > nor how much bandwidth portsnap.daemonology.net can comfortably > handle. I may come back tomorrow and ask for some mirrors. :-) > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to > "freebsd-security-unsubscribe@freebsd.org"