Date: Sat, 18 Jun 2016 13:35:09 -0700 From: Ben Steel <bhs@precisionforesight.com> To: freebsd-stable@freebsd.org Subject: re: new certificate for svn.freebsd.org? Message-ID: <75ab3435-a4cd-0866-ab2f-7e8e86281afb@precisionforesight.com>
next in thread | raw e-mail | index | archive | help
* Matthew Seaman <matthew at FreeBSD.org> [160618 11:21]: > Even so, the option used to be off by default: the change to 'on by > default' was made almost exactly a year ago, and there have been > several changes to the list of certs since, so not having the symlink > in place indicates either that you haven't updated your ports > recently, or that you've specifically chosen not to enable the > symlink. In which case you wouldn't have been able to validate the > previous cert either. > > There really is no excuse for not updating the ca_root_nss port > immediately there are updates available. Otherwise you can end up > trusting certificates that have since been shown to be less than > trustworthy. > > That you couldn't verify the cert is not a bug in FreeBSD, but a > configuration problem in your own system. Not having the right > fingerprint in the docs certainly is a bug which I'm sure will be > addressed soon. Thanks for the warnings, Matthew. In my case, the symlink was in place in all the relevant jails, just not on the underlying system, which pre-dated the config change and communicated only with svn.freebsd.org to update the src and ports trees daily. That key had been manually verified long ago. I moved the bug report to documentation as soon as I realized that my lack of a symlink was at fault. Hope this helps, Ben
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?75ab3435-a4cd-0866-ab2f-7e8e86281afb>