Re: MITM attacks against portsnap and freebsd-update

On 2014-04-11, Matthew Rezny <matthew@reztek.cz> wrote:

> I agree portsnap could be replaced, but SVNlite isn't the answer. Instead, I 
> suggest rsync. Rsync is fast to do the initial fetch and even faster to do the 
> update.

Rsync performs poorly with large directory trees.  Each run, it
stat(2)s every file, bringing the server to its knees.

*The* feature of CVSup was that it cached this meta data.

> in addition to, SSL/TLS support for the TCP connection, the trees could be 
> fetched not as thousand of files, but as a couple tar files (src.tar and 
> ports.tar), the hashes of which could be verified before extraction. Those tar 
> files should be uncompressed in order to allow the rsync algorithm to work its 
> magic during updates.

I'm not sure how that scales.  Poorly unless the server can hold
the file completely in memory, would be my guess.

-- 
Christian "naddy" Weisgerber                          naddy@mips.inka.de
_______________________________________________
freebsd-hackers@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org"