Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 17 Apr 2014 15:22:08 +0000 (UTC)
From:      Christian Weisgerber <naddy@mips.inka.de>
To:        freebsd-hackers@freebsd.org
Subject:   Re: MITM attacks against portsnap and freebsd-update
Message-ID:  <slrnlkvsd0.1tt8.naddy@lorvorc.mips.inka.de>
References:  <CAHAXwYCGkP-o0VvMXj5S8-KNA45aTvy%2BsrjDL_=8-x9Dza5z5Q@mail.gmail.com> <2012148.SzKMgBGQYg@desktop.reztek>

next in thread | previous in thread | raw e-mail | index | archive | help
On 2014-04-11, Matthew Rezny <matthew@reztek.cz> wrote:

> I agree portsnap could be replaced, but SVNlite isn't the answer. Instead, I 
> suggest rsync. Rsync is fast to do the initial fetch and even faster to do the 
> update.

Rsync performs poorly with large directory trees.  Each run, it
stat(2)s every file, bringing the server to its knees.

*The* feature of CVSup was that it cached this meta data.

> in addition to, SSL/TLS support for the TCP connection, the trees could be 
> fetched not as thousand of files, but as a couple tar files (src.tar and 
> ports.tar), the hashes of which could be verified before extraction. Those tar 
> files should be uncompressed in order to allow the rsync algorithm to work its 
> magic during updates.

I'm not sure how that scales.  Poorly unless the server can hold
the file completely in memory, would be my guess.

-- 
Christian "naddy" Weisgerber                          naddy@mips.inka.de



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?slrnlkvsd0.1tt8.naddy>