Secure updating of OS and ports
Colin Percival
colin.percival at wadham.ox.ac.uk
Tue Nov 18 08:42:58 PST 2003
At 09:32 18/11/2003 -0700, M. Warner Losh wrote:
>cvsup is secure from everything except man in the middle or
>redirection attacks. When you run cvsup over an ssh-tunnel, you can
>solve these problems if you trust the cvsup running on the localhost
>you ssh to.
In other words, cvsup -- as the general public uses it -- is secure,
provided that you trust your DNS servers, the FreeBSD DNS servers, the
cvsup mirror you access, and everyone with access to the local network
segments on which the above reside. It's *almost* as secure as http -- but
not quite, since the mirror system provides another point of attack.
If everyone used ssh tunnels to cvsup-master, this wouldn't be an
issue... but that isn't an option.
Colin Percival
More information about the freebsd-stable
mailing list