please test: Secure ports tree updating

From: Colin Percival (colin.percival_at_wadham.ox.ac.uk)
Date: 10/26/04

  • Next message: Bertrand JUGLAS: "Re: please test: Secure ports tree updating"
    Date: Tue, 26 Oct 2004 20:58:54 +0100
    To: freebsd-ports@freebsd.org
    
    

    CVSup is slow, insecure, and a memory hog. However, until now
    it's been the only option for keeping an up-to-date ports tree,
    and (thanks to all of the recent work on vuxml and portaudit)
    it has become quite obvious that keeping an up-to-date ports
    tree is very important.

    To provide a secure, lightweight, and fast alternative to CVSup,
    I've written portsnap. As the name suggests, this is a system
    for building, *signing*, and distributing compressed snapshots
    of the ports tree, which can then be extracted into /usr/ports
    as needed.

    Portsnap is:
      * Lightweight. It's a 15kB shell script which uses under 50kB
    of other binaries.
      * Designed for frequent updating. Unlike CVSup, it doesn't
    need to transmit a complete list of files in the ports tree each
    time it runs; in fact, if there are no updates available, it only
    needs to fetch a single file of 256 bytes.
      * Secure. Using code from FreeBSD Update, the ports snapshots
    are signed using a 2048-bit RSA key.
      * HTTP-only. That's right, you don't need to beg your network
    maintainer to allow outgoing connections on port 5999 any more. :-)

    Right now I'm only building snapshots once per day, but after
    this has had some testing I'll increase that to once every 1-2
    hours. Similarly, portsnap isn't in the ports tree yet, but it
    will appear there once I'm satisfied with the testing that it
    has received.

    So please go and test! Portsnap can be downloaded from
    http://www.daemonology.net/portsnap/

    Colin Percival
    PS. I'm not sure how many testers this message is going to elicit,
    nor how much bandwidth portsnap.daemonology.net can comfortably
    handle. I may come back tomorrow and ask for some mirrors. :-)
    _______________________________________________
    freebsd-security@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-security
    To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"


  • Next message: Bertrand JUGLAS: "Re: please test: Secure ports tree updating"

    Relevant Pages

    • Re: Extract particular date snapshot from /var/db/portsnap?
      ... GL>> How can I extract an 'old' snapshot from portsnap database? ... GL>> ports tree that corresponds it? ... promising it's certainly a natural matter for it: ports snapshots management. ...
      (freebsd-questions)
    • Re: RELENG_4 cvsup Makefile fails / pkg_add -vr cvsup fails
      ... > Commands used to upgrade source tree: ... your ports tree is out of date (from not having cvsup) you may have ... > I also tried to install just the binaries by issuing the command: ... your ports tree up to date a lot of things will build without problems. ...
      (comp.unix.bsd.freebsd.misc)
    • Re: cvsup problems
      ... I think that maybe your cvsup configuration file may have a typo. ... Since the ports tree is the same for all versions of FreeBSD (I ... then you can figure out which source tree to ... > # If you add any of the ports or doc collections to this file, ...
      (freebsd-questions)
    • Re: Understanding differences between releases and ports
      ... When you CVSup, you are refreshing your ports tree. ... does installing a new release of FreeBSD make more sence. ... >>(that updates the src bineries). ...
      (freebsd-questions)
    • upgrading 4.8 to 4.9 question....
      ... cvsup the source tree to 4.9 ... cvsup the ports tree ... I guess there is a gap in my knowledge here about how the freebsd software ...
      (freebsd-questions)