Recent security announcement and csup/cvsup?
Gary Palmer
gpalmer at freebsd.org
Sat Nov 17 15:06:02 UTC 2012
Hi,
Can someone explain why the cvsup/csup infrastructure is considered insecure
if the person had access to the *package* building cluster? Is it because
the leaked key also had access to something in the chain that goes to cvsup,
or is it because the project is not auditing the cvsup system and so the
default assumption is that it cannot be trusted to not be compromised?
If it is the latter, someone from the community could check rather than
encourage everyone who has been using csup/cvsup to wipe and reinstall
their boxes. Unfortunately the wipe option is not possible for me right
now and my backups do go back to before the 19th of September
Thanks
Gary
More information about the freebsd-security
mailing list