misc/57995: rsync repo transfers are insecure

[rwhitlock22%gmail.com@localhost]

>Number:         57995
>Category:       misc
>Synopsis:       rsync repo transfers are insecure
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    misc-bug-people
>State:          open
>Class:          change-request
>Submitter-Id:   net
>Arrival-Date:   Sun Mar 03 19:50:00 +0000 2024
>Originator:     Robert Whitlock
>Release:        
>Organization:
>Environment:
>Description:
The directions at https://netbsd.org/docs/current/#getrepos give the option of using rsync to download the whole repository, however using plain rsync is unencrypted. There is no way to get an encrypted rsync connection of the NetBSD repository (because the NetBSD servers don't offer it) and there is no way to verify the correctness of the downloaded repository with cryptographic signatures. This means that any rsync transfers performed by the general public (who do not have ssh keys for rsync+ssh) are vulnerable to man in the middle attacks, creating what is, for almost all practical purposes, a supply chain attack on the entire operating system. 
>How-To-Repeat:
Follow the directions at https://netbsd.org/docs/current/#getrepos, run netstat -nf inet and note that the port for unencrypted rsync is being used.
>Fix:
Some possible solutions:

1) enable rsync-ssl on the NetBSD servers
2) find some way to sign rsynced repositories and publish the signatures and associated public keys somehow
3) offer another way to retrieve the repository that can either be accessed over an encrypted connection or can be verified with cryptographic signatures after downloading it