Re: Retiring portsnap [was MITM attacks against portsnap and
On 2014-04-11 15:23, David Noel wrote:
>>> If you look at the portsnap build code you'll see that the first
>>> thing portsnap does is pull the ports tree from Subversion. It uses
>>> the URL svn://svn.freebsd.org/ports. By not using ssl or svn+ssh
>>> the entire ports archive is exposed to corruption right from the
>>> start.
>>
>> Just to clarify -- this is not entirely true. I have double checked
>> and confirmed that the snapshot builder of portsnap at FreeBSD.org
>> uses svn over spiped transport.
>>
>> The configuration on svn do not necessarily reflect what's running in
>> production (however you brought a very good point that it's a good
>> idea to bring them public assuming there is no sensitive information
>> in them so anyone can review them).
>
> Thanks for checking on that. I don't have production access so I could
> only assume that what was in /user/cperciva/portsnap-build was what we
> were running. I'm surprised to find out that it's not.
>
> My main point was that if you don't trust Subversion it makes no sense
> to say you trust portsnap. Portsnap pulls the ports tree from
> Subversion. Using Subversion! The portsnap system relies on the trust
> of both svnadmin and svn. Just as it does when you run svn co and svn
> up. If you say you don't trust Subversion, essentially what you're
> saying is that you don't trust anything running on your computer.
>
>> you brought a very good point that it's a good
>> idea to bring them public assuming there is no sensitive information
>> in them so anyone can review them).
>
> Thank you. I hope something comes of this conversation. I have no
> access to production so for these sorts of things all I can do is mail
> this list and hope that someone makes the requested changes.
Who said we don't trust subversion? I certainly was not meaning that.
--
Regards,
Bryan Drewery
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
討論串 (同標題文章)
完整討論串 (本文為第 6 之 17 篇):