On 11/18/12, Gary Palmer <gpal...@freebsd.org> wrote: > On Sat, Nov 17, 2012 at 05:07:16PM +0100, M. Schulte wrote: >> Hi, >> >> > Can someone explain why the cvsup/csup infrastructure is considered >> > insecure [...] >> >> Speaking of cvsup security -- correct me if I'm wrong, but as far as I >> know cvsup is generally vulnerable to man-in-the-attacks[0]. Hence I'd >> be very happy about more and more people moving over to the portsnap >> camp. >> >> Best, >> mel >> >> [0] http://en.wikipedia.org/wiki/Portsnap >> >> http://unix.derkeiler.com/Mailing-Lists/FreeBSD/stable/2003-11/0287.html > > While I haven't investigated its protocol in detail, I would tend to > suspect > that svn is just as vulnerable as AFAIK the FreeBSD SVN servers are running > in clear text mode. And yet we are being pushed towards SVN for source > access instead of cvsup.
For the base system, and for projects, you should be able to use: https://svn0.us-west.FreeBSD.org/ https://svn0.us-east.FreeBSD.org/ Unfortunately, AFAIK, the ports tree is not yet available via this interface. (You could use a script and a https client with https://svnweb.FreeBSD.org/ports , but this isn't very convenient.) > > portsnap is great if you can use the official ports tree without local > modifications. If you need to patch some ports locally (for whatever > reason) then I believe it is less helpful. cvs/svn let you update your > local > ports tree while keeping your local changes. True. There are workarounds, but they're a bit awkward. CTM+PGP is only slightly more convenient in this regard. > > In other words: while signed updates via freebsd-update and portsnap > are great for a good chunk of users, they don't address everyones needs. > b. _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
