Do you still need CTM?

Andre Albsmeier Andre.Albsmeier at siemens.com
Thu Aug 20 04:47:52 UTC 2015


On Wed, 19-Aug-2015 at 23:33:15 +0000, Montgomery-Smith, Stephen wrote:
> On 08/18/2015 09:10 PM, Montgomery-Smith, Stephen wrote:
> > I just received an email from one of the FreeBSD people telling me 
> > that they are worried about the security threat posed by CTM.
> > They would like to disconnect it from the base FreeBSD system.
> > 
> > Personally I have become extremely happy with using subversion, and
> > if CTM were to disappear, I could live without it very easily.
> > 
> > But maybe some of you feel differently.  One thing we could do is 
> > 1.  Create a CTM port; 2.  Put the deltas on a server other than
> > official FreeBSD servers; 3.  Host our own mailing lists.
> > 
> > Honestly, I think the best thing to do is to close CTM.  But if
> > anyone else really wants CTM, and is willing to do (2) and (3), I
> > can easily do (1).
> 
> 1.  One thing I can do is to keep the CTM deltas being generated, and
> keep the following web page open: http://web.missouri.edu/~stephen/CTM/
> The only thing I cannot store are the svn-cur xEmpty files, because I

I personally could live with that perfectly.

> haven't been given enough space.  I cannot maintain any kind of
> mailing list.  Also, since this web space belongs to the University of
> Missouri, they might take it down some day.

So one would have to check this web page to get the latest deltas?
Well, that's fine as well.

> 
> 2.  I am sympathetic to the security concerns.  Having seen the recent
> security advisories, it seems to me that no-one can predict how some
> odd bit of code on the side will one day become a problem.  And I
> think to do a full audit of the ctm code would be a lot of work.
> 
> If we disconnect CTM from the FreeBSD project, and run it privately
> from the side, then it doesn't decrease our security problems.  But it
> does decrease FreeBSD's potential security problems.  And if the CTM
> code gets hit by some weird virus (e.g. a forged email sending a delta
> that lays your computers open to the world), the FreeBSD project won't
> then get embarrassed.

OK. Again fine for me.

> 
> 3.  I'm not so sympathetic to the issue of how much space the svn
> repository takes.  Disk space is so cheap these days.  But presumably

Right. But there are machines where you can't simply plug in a 2 TB
SATA drive -- no matter if it costs 10 or 100 Euros. And if you have
got several of these, you really start to love CTM ;-)

	-Andre


> people who are concerned over that issue don't need the svn-cur CTM
> deltas, and only want ports-cur or src-*.  Then what I offer in point
> (1) should be satisfactory.
> 
> Stephen
> _______________________________________________
> ctm-users at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/ctm-users
> To unsubscribe, send any mail to "ctm-users-unsubscribe at freebsd.org"

-- 
Jeder Projektmanager, der glaubt, Projekte zu managen, der
glaubt auch, dass Zitronenfalter Zitronen falten.


More information about the ctm-users mailing list