From owner-freebsd-security@FreeBSD.ORG Wed Nov 21 06:18:39 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 997B36DA for ; Wed, 21 Nov 2012 06:18:39 +0000 (UTC) (envelope-from matthew@FreeBSD.org) Received: from smtp.infracaninophile.co.uk (smtp6.infracaninophile.co.uk [IPv6:2001:8b0:151:1:3cd3:cd67:fafa:3d78]) by mx1.freebsd.org (Postfix) with ESMTP id 168738FC12 for ; Wed, 21 Nov 2012 06:18:38 +0000 (UTC) Received: from seedling.black-earth.co.uk (seedling.black-earth.co.uk [81.2.117.99]) (authenticated bits=0) by smtp.infracaninophile.co.uk (8.14.5/8.14.5) with ESMTP id qAL6IMLj047486 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO) for ; Wed, 21 Nov 2012 06:18:29 GMT (envelope-from matthew@FreeBSD.org) DKIM-Filter: OpenDKIM Filter v2.7.1 smtp.infracaninophile.co.uk qAL6IMLj047486 Authentication-Results: smtp.infracaninophile.co.uk/qAL6IMLj047486; dkim=none reason="no signature"; dkim-adsp=none (insecure policy) Message-ID: <50AC7225.2070906@FreeBSD.org> Date: Wed, 21 Nov 2012 06:18:13 +0000 From: Matthew Seaman User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:17.0) Gecko/17.0 Thunderbird/17.0 MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: Re: FreeBSD needs Git to ensure repo integrity [was: 2012 incident] References: <20121120030445.GA38037@zjl.local> <20121120163059.GD88593@in-addr.com> <20121121031959.GA30708@server.rulingia.com> <20121121033750.48D8B2B723EB@drugs.dv.isc.org> In-Reply-To: <20121121033750.48D8B2B723EB@drugs.dv.isc.org> X-Enigmail-Version: 1.4.6 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enigF34D7DB1FB0961A1817C83B4" X-Virus-Scanned: clamav-milter 0.97.6 at lucid-nonsense.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=-1.2 required=5.0 tests=BAYES_00,SPF_SOFTFAIL autolearn=no version=3.3.2 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on lucid-nonsense.infracaninophile.co.uk X-Mailman-Approved-At: Wed, 21 Nov 2012 12:16:38 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 Nov 2012 06:18:39 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enigF34D7DB1FB0961A1817C83B4 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable On 21/11/2012 03:37, Mark Andrews wrote: >> The certificates are self-signed. Whilst the hashes are published on >> > the FreeBSD website, that site is only available via HTTP so there's= >> > still a bootstrap issue - which I don't have a general solution for.= > See DANE, RFC 6698. Which means getting the FreeBSD.org domain signed using DNSSEC. Something I'd be very happy to see. Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. PGP: http://www.infracaninophile.co.uk/pgpkey --------------enigF34D7DB1FB0961A1817C83B4 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.16 (Darwin) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iEYEARECAAYFAlCsci4ACgkQ8Mjk52CukIxNogCfe9PZry+ejaa86Us5ueQhFHw+ ioEAn09lasIPuDPYeluU8x4RMh7SBKg7 =A+ww -----END PGP SIGNATURE----- --------------enigF34D7DB1FB0961A1817C83B4--