On Sat, Nov 17, 2012 at 10:05:33AM -0500, Gary Palmer wrote: > Can someone explain why the cvsup/csup infrastructure is considered insecure > if the person had access to the *package* building cluster? Is it because > the leaked key also had access to something in the chain that goes to cvsup, > or is it because the project is not auditing the cvsup system and so the > default assumption is that it cannot be trusted to not be compromised? Regardless of the circumstances of the incident, use of cvsup/csup has always been horrendously dangerous. People should regard any code retrieved over this channel to have been potentially compromised by a network attacker. Portsnap. Srsly. -David _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "[email protected]"