Hi, Can someone explain why the cvsup/csup infrastructure is considered insecure if the person had access to the *package* building cluster? Is it because the leaked key also had access to something in the chain that goes to cvsup, or is it because the project is not auditing the cvsup system and so the default assumption is that it cannot be trusted to not be compromised? If it is the latter, someone from the community could check rather than encourage everyone who has been using csup/cvsup to wipe and reinstall their boxes. Unfortunately the wipe option is not possible for me right now and my backups do go back to before the 19th of September Thanks Gary _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"