Secure FreeBSD ports tree updating
- CVSup is insecure. The protocol uses no encryption or signing, and any attacker who can intercept the connection can insert arbitrary data into the tree you are updating.
- CVSup isn't end-to-end. Related to the previous point, this means that anyone who can compromise a CVSup mirror can feed arbitrary data to the people who are using that mirror.
- CVSup isn't designed for frequent small updates. While CVSup is very good at distributing CVS trees, and is very efficient for updating a tree which has been significantly changed (eg, by a month or more of commits), it transmits a list of all the files in the tree, which makes it quite inefficient if only a few files have changed.
- CVSup uses a custom protocol. This can cause problems for people behind firewalls -- outgoing connections on port 5999 need to be permitted -- and it needs a heavyweight server (cvsupd).
Portsnap stores a compressed snapshot of the ports tree (around 40 MB) on disk, by default in /usr/local/portsnap. This compressed snapshot can then be extracted as needed (eg, into /usr/ports).
Portsnap is in the FreeBSD base system for all versions from 5.5 upwards (including 6.0, which was released before 5.5); users of earlier FreeBSD releases can install portsnap from the ports tree (sysutils/portsnap).
I have a nice portsnap usage graph showing the number of systems running each version of portsnap (as approximated by the updates they fetch).
Usage
- Install sysutils/portsnap from the FreeBSD ports tree.
- To fetch a compressed snapshot, or update your current compressed snapshot, run `portsnap fetch`.
- To extract the ports tree, run `portsnap extract`.
- After extracting a ports tree, to update it to reflect changes in the compressed snapshot, run `portsnap update` -- this is much faster than `portsnap extract` because it avoids extracting directories which haven't changed.
FROM http://www.daemonology.net/portsnap/