Re: Recent security announcement and csup/cvsup?

On 17 Nov 2012 15:06, "Gary Palmer" <gpalmer@freebsd.org> wrote:
>
> Hi,
>
> Can someone explain why the cvsup/csup infrastructure is considered
insecure
> if the person had access to the *package* building cluster?  Is it because
> the leaked key also had access to something in the chain that goes to
cvsup,
> or is it because the project is not auditing the cvsup system and so the
> default assumption is that it cannot be trusted to not be compromised?
>
> If it is the latter, someone from the community could check rather than
> encourage everyone who has been using csup/cvsup to wipe and reinstall
> their boxes.  Unfortunately the wipe option is not possible for me right
> now and my backups do go back to before the 19th of September

Checks are being made, but CVS makes it slow work.

It's incredibly unlikely that there will be a problem, but the Project has
to be cautious in recommendations.

Chris
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"