On Sat, Nov 17, 2012 at 05:07:16PM +0100, M. Schulte wrote: > Hi, > > > Can someone explain why the cvsup/csup infrastructure is considered > > insecure [...] > > Speaking of cvsup security -- correct me if I'm wrong, but as far as I > know cvsup is generally vulnerable to man-in-the-attacks[0]. Hence I'd > be very happy about more and more people moving over to the portsnap > camp. > > Best, > mel > > [0] http://en.wikipedia.org/wiki/Portsnap > http://unix.derkeiler.com/Mailing-Lists/FreeBSD/stable/2003-11/0287.html While I haven't investigated its protocol in detail, I would tend to suspect that svn is just as vulnerable as AFAIK the FreeBSD SVN servers are running in clear text mode. And yet we are being pushed towards SVN for source access instead of cvsup. portsnap is great if you can use the official ports tree without local modifications. If you need to patch some ports locally (for whatever reason) then I believe it is less helpful. cvs/svn let you update your local ports tree while keeping your local changes. In other words: while signed updates via freebsd-update and portsnap are great for a good chunk of users, they don't address everyones needs. Regards, Gary _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"