Re: Recent security announcement and csup/cvsup?
I agree, but there is signature system, which with addition of =
appropriate SW (e.g. built in in ports fetch/update/ ...) provides the =
required security.
LPA
Dne 11/18/12 12:42 AM, pi=9Ae David Thiel:
> On Sat, Nov 17, 2012 at 10:05:33AM -0500, Gary Palmer wrote:
>> Can someone explain why the cvsup/csup infrastructure is considered inse=
cure
>> if the person had access to the *package* building cluster? Is it becau=
se
>> the leaked key also had access to something in the chain that goes to cv=
sup,
>> or is it because the project is not auditing the cvsup system and so the
>> default assumption is that it cannot be trusted to not be compromised?
> Regardless of the circumstances of the incident, use of cvsup/csup has
> always been horrendously dangerous. People should regard any code
> retrieved over this channel to have been potentially compromised by a
> network attacker.
>
> Portsnap. Srsly.
>
> -David
> _______________________________________________
> freebsd-security@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.or=
g"
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
討論串 (同標題文章)
完整討論串 (本文為第 22 之 23 篇):