From owner-freebsd-security@freebsd.org Tue Dec 12 17:05:38 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id BB3BDE9F19D for ; Tue, 12 Dec 2017 17:05:38 +0000 (UTC) (envelope-from phk@critter.freebsd.dk) Received: from phk.freebsd.dk (phk.freebsd.dk [130.225.244.222]) by mx1.freebsd.org (Postfix) with ESMTP id 7B2C365C29 for ; Tue, 12 Dec 2017 17:05:38 +0000 (UTC) (envelope-from phk@critter.freebsd.dk) Received: from critter.freebsd.dk (unknown [192.168.55.3]) by phk.freebsd.dk (Postfix) with ESMTP id 90E6427395; Tue, 12 Dec 2017 17:05:35 +0000 (UTC) Received: from critter.freebsd.dk (localhost [127.0.0.1]) by critter.freebsd.dk (8.15.2/8.15.2) with ESMTPS id vBCH5Jpr026910 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Tue, 12 Dec 2017 17:05:20 GMT (envelope-from phk@critter.freebsd.dk) Received: (from phk@localhost) by critter.freebsd.dk (8.15.2/8.15.2/Submit) id vBCH5HDH026909; Tue, 12 Dec 2017 17:05:17 GMT (envelope-from phk) To: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= cc: John-Mark Gurney , Yuri , RW , Michelle Sullivan , Igor Mozolevsky , freebsd security Subject: Re: http subversion URLs should be discontinued in favor of https URLs In-reply-to: <864lovhpvr.fsf@desk.des.no> From: "Poul-Henning Kamp" References: <20171205231845.5028d01d@gumby.homeunix.com> <20171210173222.GF5901@funkthat.com> <5c810101-9092-7665-d623-275c15d4612b@rawbw.com> <19bd6d57-4fa6-24d4-6262-37e1487d7ed6@rawbw.com> <5A2DB80D.3020309@sorbs.net> <20171210225326.GK5901@funkthat.com> <99305.1512947694@critter.freebsd.dk> <86d13kgnfh.fsf@desk.des.no> <79567.1513083576@critter.freebsd.dk> <864lovhpvr.fsf@desk.des.no> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <26907.1513098317.1@critter.freebsd.dk> Content-Transfer-Encoding: quoted-printable Date: Tue, 12 Dec 2017 17:05:17 +0000 Message-ID: <26908.1513098317@critter.freebsd.dk> X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Dec 2017 17:05:38 -0000 -------- In message <864lovhpvr.fsf@desk.des.no>, =3D?utf-8?Q?Dag-Erling_Sm=3DC3=3D= B8rgrav?=3D w rites: >Let me rephrase: it's not just the source of the key or certificate, but >the path from that source to you. There is *always* some level of blind >trust, and all your suggestion does is move it from one place to >another. That is correct, and I don't see any problem in applying the usual level of trust we use in this project to that cert. For instance, our core team elections are usually run by some Norvegian dude who very few committers have actually met in real life. But the committers seem to be willing to entrust that task to him because those of us who have met this Norvegian dude agree that his zealous pedantry is well suited to running our elections :-) >The bottom line is, once again, that key distribution is hard, and that >you shouldn't make infosec decisions without having at least a vague >outline of a threat model. Absolutely. But just to sum up: We are talking about anonymous checkouts of our source tree, and as far as my analysis goes, we are long past this point: https://www.youtube.com/watch?v=3DX0bWWtTIPlg Poul-Henning -- = Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk@FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe = Never attribute to malice what can adequately be explained by incompetence= .