On Sat, Nov 17, 2012 at 10:05:33AM -0500, Gary Palmer wrote: > Can someone explain why the cvsup/csup infrastructure is considered insecure > if the person had access to the *package* building cluster? Is it because > the leaked key also had access to something in the chain that goes to cvsup, > or is it because the project is not auditing the cvsup system and so the > default assumption is that it cannot be trusted to not be compromised?
Regardless of the circumstances of the incident, use of cvsup/csup has always been horrendously dangerous. People should regard any code retrieved over this channel to have been potentially compromised by a network attacker. Portsnap. Srsly. -David _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
