From owner-freebsd-hackers@FreeBSD.ORG Thu Apr 17 16:37:27 2014 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 642239FC for ; Thu, 17 Apr 2014 16:37:27 +0000 (UTC) Received: from mail-in-03.arcor-online.net (mail-in-03.arcor-online.net [151.189.21.43]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client CN "mx.arcor.de", Issuer "Thawte SSL CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 19695153D for ; Thu, 17 Apr 2014 16:37:26 +0000 (UTC) Received: from mail-in-05-z2.arcor-online.net (mail-in-05-z2.arcor-online.net [151.189.8.17]) by mx.arcor.de (Postfix) with ESMTP id 2E1C1D802B for ; Thu, 17 Apr 2014 17:22:13 +0200 (CEST) Received: from mail-in-10.arcor-online.net (mail-in-10.arcor-online.net [151.189.21.50]) by mail-in-05-z2.arcor-online.net (Postfix) with ESMTP id 3257E6F2626 for ; Thu, 17 Apr 2014 17:22:13 +0200 (CEST) X-Greylist: Passed host: 188.98.159.147 X-DKIM: Sendmail DKIM Filter v2.8.2 mail-in-10.arcor-online.net 829D337E002 Received: from lorvorc.mips.inka.de (dslb-188-098-159-147.pools.arcor-ip.net [188.98.159.147]) by mail-in-10.arcor-online.net (Postfix) with ESMTPS id 829D337E002 for ; Thu, 17 Apr 2014 17:22:12 +0200 (CEST) Received: from lorvorc.mips.inka.de (localhost [127.0.0.1]) by lorvorc.mips.inka.de (8.14.8/8.14.7) with ESMTP id s3HFM816065415 for ; Thu, 17 Apr 2014 17:22:08 +0200 (CEST) (envelope-from news@lorvorc.mips.inka.de) Received: (from news@localhost) by lorvorc.mips.inka.de (8.14.8/8.14.8/Submit) id s3HFM8uc065414 for freebsd-hackers@freebsd.org; Thu, 17 Apr 2014 17:22:08 +0200 (CEST) (envelope-from news) To: freebsd-hackers@freebsd.org From: Christian Weisgerber Newsgroups: list.freebsd.hackers Subject: Re: MITM attacks against portsnap and freebsd-update Date: Thu, 17 Apr 2014 15:22:08 +0000 (UTC) Lines: 22 Message-ID: References: <2012148.SzKMgBGQYg@desktop.reztek> X-Trace: lorvorc.mips.inka.de 1397748128 63401 ::1 (17 Apr 2014 15:22:08 GMT) X-Complaints-To: usenet@mips.inka.de User-Agent: slrn/1.0.1 (FreeBSD) X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Apr 2014 16:37:27 -0000 On 2014-04-11, Matthew Rezny wrote: > I agree portsnap could be replaced, but SVNlite isn't the answer. Instead, I > suggest rsync. Rsync is fast to do the initial fetch and even faster to do the > update. Rsync performs poorly with large directory trees. Each run, it stat(2)s every file, bringing the server to its knees. *The* feature of CVSup was that it cached this meta data. > in addition to, SSL/TLS support for the TCP connection, the trees could be > fetched not as thousand of files, but as a couple tar files (src.tar and > ports.tar), the hashes of which could be verified before extraction. Those tar > files should be uncompressed in order to allow the rsync algorithm to work its > magic during updates. I'm not sure how that scales. Poorly unless the server can hold the file completely in memory, would be my guess. -- Christian "naddy" Weisgerber naddy@mips.inka.de