Hi, Can someone explain why the cvsup/csup infrastructure is considered insecure if the person had access to the *package* building cluster? Is it because the leaked key also had access to something in the chain that goes to cvsup, or is it because the project is not auditing the cvsup system and so the default assumption is that it cannot be trusted to not be compromised? If it is the latter, someone from the community could check rather than encourage everyone who has been using csup/cvsup to wipe and reinstall their boxes. Unfortunately the wipe option is not possible for me right now and my backups do go back to before the 19th of September Thanks Gary
On 17 Nov 2012 15:06, "Gary Palmer" <gpalmer at freebsd.org> wrote:> > Hi, > > Can someone explain why the cvsup/csup infrastructure is consideredinsecure> if the person had access to the *package* building cluster? Is it because > the leaked key also had access to something in the chain that goes tocvsup,> or is it because the project is not auditing the cvsup system and so the > default assumption is that it cannot be trusted to not be compromised? > > If it is the latter, someone from the community could check rather than > encourage everyone who has been using csup/cvsup to wipe and reinstall > their boxes. Unfortunately the wipe option is not possible for me right > now and my backups do go back to before the 19th of SeptemberChecks are being made, but CVS makes it slow work. It's incredibly unlikely that there will be a problem, but the Project has to be cautious in recommendations. Chris
Hi,> Can someone explain why the cvsup/csup infrastructure is considered > insecure [...]Speaking of cvsup security -- correct me if I'm wrong, but as far as I know cvsup is generally vulnerable to man-in-the-attacks[0]. Hence I'd be very happy about more and more people moving over to the portsnap camp. Best, mel [0] http://en.wikipedia.org/wiki/Portsnap http://unix.derkeiler.com/Mailing-Lists/FreeBSD/stable/2003-11/0287.html
On Sat, Nov 17, 2012 at 10:05:33AM -0500, Gary Palmer wrote:> Can someone explain why the cvsup/csup infrastructure is considered insecure > if the person had access to the *package* building cluster? Is it because > the leaked key also had access to something in the chain that goes to cvsup, > or is it because the project is not auditing the cvsup system and so the > default assumption is that it cannot be trusted to not be compromised?Regardless of the circumstances of the incident, use of cvsup/csup has always been horrendously dangerous. People should regard any code retrieved over this channel to have been potentially compromised by a network attacker. Portsnap. Srsly. -David
I agree, but there is signature system, which with addition of appropriate SW (e.g. built in in ports fetch/update/ ...) provides the required security. LPA Dne 11/18/12 12:42 AM, pi?e David Thiel:> On Sat, Nov 17, 2012 at 10:05:33AM -0500, Gary Palmer wrote: >> Can someone explain why the cvsup/csup infrastructure is considered insecure >> if the person had access to the *package* building cluster? Is it because >> the leaked key also had access to something in the chain that goes to cvsup, >> or is it because the project is not auditing the cvsup system and so the >> default assumption is that it cannot be trusted to not be compromised? > Regardless of the circumstances of the incident, use of cvsup/csup has > always been horrendously dangerous. People should regard any code > retrieved over this channel to have been potentially compromised by a > network attacker. > > Portsnap. Srsly. > > -David > _______________________________________________ > freebsd-security at freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe at freebsd.org"
> I have problem with the portsnap: I maintain a private > "repository" under the /usr/ports: There is a /usr/ports/tmp where I store > new ports to be tested, and submitted. The portsnap is removing > unrecognized local files.Adding the line REFUSE tmp to /etc/portsnap.conf should make portsnap ignore that directory. Check `man portsnap.conf` for more details.
thanks for pointing out. Janos Mohacsi Head of HBONE+ project Network Engineer, Director Network and Multimedia NIIF/HUNGARNET, HUNGARY Co-chair of Hungarian IPv6 Forum Key 70EF9882: DEC2 C685 1ED4 C95A 145F 4300 6F64 7B00 70EF 9882 On Tue, 20 Nov 2012, L Campbell wrote:>> I have problem with the portsnap: I maintain a private >> "repository" under the /usr/ports: There is a /usr/ports/tmp where I store >> new ports to be tested, and submitted. The portsnap is removing >> unrecognized local files. > > Adding the line > > REFUSE tmp > > to /etc/portsnap.conf should make portsnap ignore that directory. > Check `man portsnap.conf` for more details. > _______________________________________________ > freebsd-security at freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe at freebsd.org" >