please test: Secure ports tree updating

Jason DiCioccio jd at ods.org
Tue Oct 26 13:18:05 PDT 2004 

Colin,
  This sounds great.  If you do end up needing a mirror, feel free to email 
me.  I have a couple of servers on different connections (10/100mbit) that 
I might be able to donate to your cause.  In the mean time, I'm going to 
give it a shot..

Regards,
-JD-

--On Tuesday, October 26, 2004 20:58:54 +0100 Colin Percival 
<colin.percival at wadham.ox.ac.uk> wrote:

> CVSup is slow, insecure, and a memory hog.  However, until now
> it's been the only option for keeping an up-to-date ports tree,
> and (thanks to all of the recent work on vuxml and portaudit)
> it has become quite obvious that keeping an up-to-date ports
> tree is very important.
>
> To provide a secure, lightweight, and fast alternative to CVSup,
> I've written portsnap.  As the name suggests, this is a system
> for building, *signing*, and distributing compressed snapshots
> of the ports tree, which can then be extracted into /usr/ports
> as needed.
>
> Portsnap is:
>   * Lightweight.  It's a 15kB shell script which uses under 50kB
> of other binaries.
>   * Designed for frequent updating.  Unlike CVSup, it doesn't
> need to transmit a complete list of files in the ports tree each
> time it runs; in fact, if there are no updates available, it only
> needs to fetch a single file of 256 bytes.
>   * Secure.  Using code from FreeBSD Update, the ports snapshots
> are signed using a 2048-bit RSA key.
>   * HTTP-only.  That's right, you don't need to beg your network
> maintainer to allow outgoing connections on port 5999 any more. :-)
>
> Right now I'm only building snapshots once per day, but after
> this has had some testing I'll increase that to once every 1-2
> hours.  Similarly, portsnap isn't in the ports tree yet, but it
> will appear there once I'm satisfied with the testing that it
> has received.
>
> So please go and test!  Portsnap can be downloaded from
> http://www.daemonology.net/portsnap/
>
> Colin Percival
> PS. I'm not sure how many testers this message is going to elicit,
> nor how much bandwidth portsnap.daemonology.net can comfortably
> handle.  I may come back tomorrow and ask for some mirrors. :-)
> _______________________________________________
> freebsd-security at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to
> "freebsd-security-unsubscribe at freebsd.org"

More information about the freebsd-security mailing list