Re: Retiring portsnap [was MITM attacks against portsnap and
> Indeed it is not. David's solution - which seems to amount to removing
> portsnap and herding the cats at home to DTRT about using svn securely -
> relies on other cats being as smart and aware of the ramifications as he
> is - a highly questionable proposition especially for the numerous more
> naive users that portsnap renders the process of securely upgrading the
> ports tree just about as simple and consistent as it can be.
On the one hand I do get what you're saying. On the other I don't know
that you're fairly characterizing the typical portsnap user. Building
ports from source is not something I would think a novice FreeBSD user
would do (make can be--and often is--an absolute nightmare!). Rather,
I would imagine a novice would be using something like pkgng.
> David, perhaps your obvious talent for auditing the portsnap code and
> its server-side configuration might be better applied to remedying any
> perceived vulnerabilities in conjunction with present and past security
> officers and teams?
Thanks. I'm happy to, and it's on my to-do list, the only problem is
that I'm swamped with other projects and it's been sitting on that
list for the past 2 years. It seems to be a similar problem for Colin
and the Security Team. I'm hoping that by bringing this bug to the
list that someone with more free time will be able to patch it.
-David
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
討論串 (同標題文章)
完整討論串 (本文為第 14 之 17 篇):