On Aug 22, 2006, at 12:19 AM, Erik Trulsson wrote:

On Tue, Aug 22, 2006 at 06:38:46AM +0100, Matthew Seaman wrote:
Lowell Gilbert wrote:
Garrett Cooper <[EMAIL PROTECTED]> writes:

Gerard Seibert wrote:

IMHO, it might be a lot easier for him to use portsnap. Especially
if he is not familiar with the FBSD ports system. Just my opinion

   CVSUP isn't that difficult IMHO to learn, and is a better, more
efficient way to download the ports Makefiles.

In what way?  For typical applications, lower bandwidth usage is
supposedly an advantage of portsnap.

It will take him all of 10-20 minutes to configure if he reads the documentation and uses the
example file.

I would think so.  And it can be used with arbitrary cvs trees,
including the FreeBSD source tree.  On the other hand, it doesn't
come in the FreeBSD base system, and it doesn't sign the updates.

But csup(1) is in the base system for values of base system equal to
6.1-STABLE or better.  csup(1) is cvsup(1) reimplemented in plain C
and apart from the graphical display stuff is a drop in replacement
for cvsup(1).

Not quite a drop in replacement. csup(1) does not (yet) support CVS mode
which is used to maintain a local copy of the repository.

I did a bit of searching and it appears that my thoughts on how CVSUP is implemented are slightly skewed. From the portsnap developer's page:

-CVSup is insecure. The protocol uses no encryption or signing, and any attacker who can intercept the connection can insert arbitrary data into the tree you are updating. -CVSup isn't end-to-end. Related to the previous point, this means that anyone who can compromise a CVSup mirror can feed arbitrary data to the people who are using that mirror. -CVSup isn't designed for frequent small updates. While CVSup is very good at distributing CVS trees, and is very efficient for updating a tree which has been significantly changed (eg, by a month or more of commits), it transmits a list of all the files in the tree, which makes it quite inefficient if only a few files have changed. -CVSup uses a custom protocol. This can cause problems for people behind firewalls -- outgoing connections on port 5999 need to be permitted -- and it needs a heavyweight server (cvsupd).

The first and fourth points are the ones I noted as the flaw in my original argument of the overall operation of CVSUP vs portsnap. I thought that CVSUP actually used the CVS protocol to transfer data, which can encrypt data using SSH tunneling but it actually doesn't and is very insecure =\. Noting that portsnap fetches all files via fetch with ssl support enabled as well by quickly reading through the portsnap script, it is much more secure than CVSUP is.

The only thing to note is that you still need to use CVSUP to update your base package sources, as there isn't a compressed, fetching equivalent like portsnap available for the sources.

Although this would have been more efficient for beno because it sounds like his ports tree hasn't been updated in ages, portsnap would be better to use in the future for updating his ports tree.

freebsd-questions@freebsd.org mailing list
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to