please test: Secure ports tree updating

From: Colin Percival (colin.percival_at_wadham.ox.ac.uk)
Date: 10/26/04

  • Next message: Bertrand JUGLAS: "Re: please test: Secure ports tree updating"
    Date: Tue, 26 Oct 2004 20:58:54 +0100
    To: freebsd-ports@freebsd.org
    
    

    CVSup is slow, insecure, and a memory hog. However, until now
    it's been the only option for keeping an up-to-date ports tree,
    and (thanks to all of the recent work on vuxml and portaudit)
    it has become quite obvious that keeping an up-to-date ports
    tree is very important.

    To provide a secure, lightweight, and fast alternative to CVSup,
    I've written portsnap. As the name suggests, this is a system
    for building, *signing*, and distributing compressed snapshots
    of the ports tree, which can then be extracted into /usr/ports
    as needed.

    Portsnap is:
      * Lightweight. It's a 15kB shell script which uses under 50kB
    of other binaries.
      * Designed for frequent updating. Unlike CVSup, it doesn't
    need to transmit a complete list of files in the ports tree each
    time it runs; in fact, if there are no updates available, it only
    needs to fetch a single file of 256 bytes.
      * Secure. Using code from FreeBSD Update, the ports snapshots
    are signed using a 2048-bit RSA key.
      * HTTP-only. That's right, you don't need to beg your network
    maintainer to allow outgoing connections on port 5999 any more. :-)

    Right now I'm only building snapshots once per day, but after
    this has had some testing I'll increase that to once every 1-2
    hours. Similarly, portsnap isn't in the ports tree yet, but it
    will appear there once I'm satisfied with the testing that it
    has received.

    So please go and test! Portsnap can be downloaded from
    http://www.daemonology.net/portsnap/

    Colin Percival
    PS. I'm not sure how many testers this message is going to elicit,
    nor how much bandwidth portsnap.daemonology.net can comfortably
    handle. I may come back tomorrow and ask for some mirrors. :-)
    _______________________________________________
    freebsd-security@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-security
    To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"


  • Next message: Bertrand JUGLAS: "Re: please test: Secure ports tree updating"