Date: Wed, 21 Nov 2012 06:18:13 +0000 From: Matthew Seaman <matthew@FreeBSD.org> To: freebsd-security@freebsd.org Subject: Re: FreeBSD needs Git to ensure repo integrity [was: 2012 incident] Message-ID: <50AC7225.2070906@FreeBSD.org> In-Reply-To: <20121121033750.48D8B2B723EB@drugs.dv.isc.org> References: <CAD2Ti29UoFcHendR8CcdQ4FPNW1HH0O47B1i3JW00Lke2m2POg@mail.gmail.com> <CAJ-VmonryjAOW-Ty%2Bs3wj6BfWiQzxSL-waEYnQ5wLv4eFjQ_4Q@mail.gmail.com> <20121120030445.GA38037@zjl.local> <CAF6rxgkcuCRssMniTSapK92aJOkcg996tF2o22yuKG1pt6mbdQ@mail.gmail.com> <BABF8C57A778F04791343E5601659908236D2B@cinip100ntsbs.irtnog.net> <CAF6rxg=RLBm=RDh=WxqwJV2F9LxwC8vExDabAjiyycLrZvu2Hw@mail.gmail.com> <20121120163059.GD88593@in-addr.com> <20121121031959.GA30708@server.rulingia.com> <20121121033750.48D8B2B723EB@drugs.dv.isc.org>
index | next in thread | previous in thread | raw e-mail
[-- Attachment #1 --] On 21/11/2012 03:37, Mark Andrews wrote: >> The certificates are self-signed. Whilst the hashes are published on >> > the FreeBSD website, that site is only available via HTTP so there's >> > still a bootstrap issue - which I don't have a general solution for. > See DANE, RFC 6698. Which means getting the FreeBSD.org domain signed using DNSSEC. Something I'd be very happy to see. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. PGP: http://www.infracaninophile.co.uk/pgpkey [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.16 (Darwin) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iEYEARECAAYFAlCsci4ACgkQ8Mjk52CukIxNogCfe9PZry+ejaa86Us5ueQhFHw+ ioEAn09lasIPuDPYeluU8x4RMh7SBKg7 =A+ww -----END PGP SIGNATURE-----help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?50AC7225.2070906>