CVSup is slow, insecure, and a memory hog. However, until now it's been the only option for keeping an up-to-date ports tree, and (thanks to all of the recent work on vuxml and portaudit) it has become quite obvious that keeping an up-to-date ports tree is very important. To provide a secure, lightweight, and fast alternative to CVSup, I've written portsnap. As the name suggests, this is a system for building, *signing*, and distributing compressed snapshots of the ports tree, which can then be extracted into /usr/ports as needed. Portsnap is: * Lightweight. It's a 15kB shell script which uses under 50kB of other binaries. * Designed for frequent updating. Unlike CVSup, it doesn't need to transmit a complete list of files in the ports tree each time it runs; in fact, if there are no updates available, it only needs to fetch a single file of 256 bytes. * Secure. Using code from FreeBSD Update, the ports snapshots are signed using a 2048-bit RSA key. * HTTP-only. That's right, you don't need to beg your network maintainer to allow outgoing connections on port 5999 any more. :-) Right now I'm only building snapshots once per day, but after this has had some testing I'll increase that to once every 1-2 hours. Similarly, portsnap isn't in the ports tree yet, but it will appear there once I'm satisfied with the testing that it has received. So please go and test! Portsnap can be downloaded from http://www.daemonology.net/portsnap/ Colin Percival PS. I'm not sure how many testers this message is going to elicit, nor how much bandwidth portsnap.daemonology.net can comfortably handle. I may come back tomorrow and ask for some mirrors. :-)
Colin Percival wrote:> CVSup is slow, insecure, and a memory hog. However, until now > it's been the only option for keeping an up-to-date ports tree, > and (thanks to all of the recent work on vuxml and portaudit) > it has become quite obvious that keeping an up-to-date ports > tree is very important. > > To provide a secure, lightweight, and fast alternative to CVSup, > I've written portsnap. As the name suggests, this is a system > for building, *signing*, and distributing compressed snapshots > of the ports tree, which can then be extracted into /usr/ports > as needed. > > Portsnap is: > * Lightweight. It's a 15kB shell script which uses under 50kB > of other binaries. > * Designed for frequent updating. Unlike CVSup, it doesn't > need to transmit a complete list of files in the ports tree each > time it runs; in fact, if there are no updates available, it only > needs to fetch a single file of 256 bytes. > * Secure. Using code from FreeBSD Update, the ports snapshots > are signed using a 2048-bit RSA key. > * HTTP-only. That's right, you don't need to beg your network > maintainer to allow outgoing connections on port 5999 any more. :-) > > Right now I'm only building snapshots once per day, but after > this has had some testing I'll increase that to once every 1-2 > hours. Similarly, portsnap isn't in the ports tree yet, but it > will appear there once I'm satisfied with the testing that it > has received. > > So please go and test! Portsnap can be downloaded from > http://www.daemonology.net/portsnap/ > > Colin Percival > PS. I'm not sure how many testers this message is going to elicit, > nor how much bandwidth portsnap.daemonology.net can comfortably > handle. I may come back tomorrow and ask for some mirrors. :-) > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to > "freebsd-security-unsubscribe@freebsd.org"I'm going to test it on a fresh FreeBSD 4.10-RELEASE install and if the download file size is small i will mirror it on my website. I will later post results from my testing. i hope to read from you soon, Bertrand Juglas
Colin Percival <colin.percival@wadham.ox.ac.uk> writes:> CVSup is slow, insecure, and a memory hog.if cvsup is slow, you're not using it right. I'm sure portsnap is a wonderful piece of software, but there's no need to spread FUD about cvsup to promote it. DES -- Dag-Erling Sm?rgrav - des@des.no
Colin, This sounds great. If you do end up needing a mirror, feel free to email me. I have a couple of servers on different connections (10/100mbit) that I might be able to donate to your cause. In the mean time, I'm going to give it a shot.. Regards, -JD- --On Tuesday, October 26, 2004 20:58:54 +0100 Colin Percival <colin.percival@wadham.ox.ac.uk> wrote:> CVSup is slow, insecure, and a memory hog. However, until now > it's been the only option for keeping an up-to-date ports tree, > and (thanks to all of the recent work on vuxml and portaudit) > it has become quite obvious that keeping an up-to-date ports > tree is very important. > > To provide a secure, lightweight, and fast alternative to CVSup, > I've written portsnap. As the name suggests, this is a system > for building, *signing*, and distributing compressed snapshots > of the ports tree, which can then be extracted into /usr/ports > as needed. > > Portsnap is: > * Lightweight. It's a 15kB shell script which uses under 50kB > of other binaries. > * Designed for frequent updating. Unlike CVSup, it doesn't > need to transmit a complete list of files in the ports tree each > time it runs; in fact, if there are no updates available, it only > needs to fetch a single file of 256 bytes. > * Secure. Using code from FreeBSD Update, the ports snapshots > are signed using a 2048-bit RSA key. > * HTTP-only. That's right, you don't need to beg your network > maintainer to allow outgoing connections on port 5999 any more. :-) > > Right now I'm only building snapshots once per day, but after > this has had some testing I'll increase that to once every 1-2 > hours. Similarly, portsnap isn't in the ports tree yet, but it > will appear there once I'm satisfied with the testing that it > has received. > > So please go and test! Portsnap can be downloaded from > http://www.daemonology.net/portsnap/ > > Colin Percival > PS. I'm not sure how many testers this message is going to elicit, > nor how much bandwidth portsnap.daemonology.net can comfortably > handle. I may come back tomorrow and ask for some mirrors. :-) > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to > "freebsd-security-unsubscribe@freebsd.org"
Is this something that can be used to replace cvsup in a general term like cvsync ? -- -David Steven David Rhodus <drhodus@machdep.com>
On Tue, 2004-Oct-26 20:58:54 +0100, Colin Percival wrote:>CVSup is slow, insecure, and a memory hog. However, until now >it's been the only option for keeping an up-to-date ports tree,...> >To provide a secure, lightweight, and fast alternative to CVSup, >I've written portsnap.It sounds like you've re-invented CTM rather than a CVSup replacement. Would you care to provide a comparison of portsnap with CTM? Based on your description, the differences are: - portsnap uses HTTP, CTM uses either FTP or mail. - portsnap is always signed, CTM is only signed via mail. - CTM is part of the base system - ports-cur CTM deltas are currently generated every 8 hours -- Peter Jeremy