Re: Recent security announcement and csup/cvsup?
On Sat, Nov 17, 2012 at 10:05:33AM -0500, Gary Palmer wrote:
> Can someone explain why the cvsup/csup infrastructure is considered insecure
> if the person had access to the *package* building cluster? Is it because
> the leaked key also had access to something in the chain that goes to cvsup,
> or is it because the project is not auditing the cvsup system and so the
> default assumption is that it cannot be trusted to not be compromised?
Regardless of the circumstances of the incident, use of cvsup/csup has
always been horrendously dangerous. People should regard any code
retrieved over this channel to have been potentially compromised by a
network attacker.
Portsnap. Srsly.
-David
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
討論串 (同標題文章)
完整討論串 (本文為第 22 之 23 篇):