Date: Fri, 1 Jan 2021 21:12:54 -0500 From: Shawn Webb <shawn.webb@hardenedbsd.org> To: Li-Wen Hsu <lwhsu@freebsd.org> Cc: Christian Weisgerber <naddy@mips.inka.de>, freebsd-current <freebsd-current@freebsd.org> Subject: Re: HEADS UP: FreeBSD src repo transitioning to git this weekend Message-ID: <20210102021254.35o3snqb5fcvmbt3@mutt-hbsd> In-Reply-To: <CAKBkRUy_MJDpROVbX=MhvHvdBJTEaYU83cHMHaqsEDcLX4KKRw@mail.gmail.com> References: <20201223162417.v7Ce6%steffen@sdaoden.eu> <20201229011939.GU31099@funkthat.com> <20201229210454.Lh4y_%steffen@sdaoden.eu> <20201230004620.GB31099@funkthat.com> <CAD2Ti2-4xS5n0%2B1oLOHyFh4%2BOCnwtNAAwMkkWzwRVDnt-xmb1Q@mail.gmail.com> <20201231193908.GC31099@funkthat.com> <CAD2Ti2-dKMOx2-k71UyZs1kAGCXPuVwO9ee861oRFNV=aCfuqA@mail.gmail.com> <20210101140857.x3hbci6c4nwi7gl7@mutt-hbsd> <slrnruv17k.rlr.naddy@lorvorc.mips.inka.de> <CAKBkRUy_MJDpROVbX=MhvHvdBJTEaYU83cHMHaqsEDcLX4KKRw@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--f7x6mvr3uryud7cy Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Jan 02, 2021 at 08:37:14AM +0800, Li-Wen Hsu wrote: > On Sat, Jan 2, 2021 at 4:25 AM Christian Weisgerber <naddy@mips.inka.de> = wrote: > > > > On 2021-01-01, Shawn Webb <shawn.webb@hardenedbsd.org> wrote: > > > > > This is why I asked FreeBSD to provide anonymous read-only ssh:// > > > support for git. I'm very grateful they support it. > > > > > > One thing that I need to do with the HardenedBSD infrastructure is > > > publish on our site the ssh pubkeys of the server (both RSA and > > > ed25519). I plan to do that sometime this coming week. I wonder if it > > > would be a good idea for FreeBSD to do the same > > > > The draft FreeBSD Git docs have the SSH fingerprints of the Git > > servers. > > https://github.com/bsdimp/freebsd-git-docs/blob/main/URLs.md > > > > Here's one from my own ~/.ssh/known_hosts: > > SHA256:y1ljKrKMD3lDObRUG3xJ9gXwEIuqnh306tSyFd1tuZE git.freebsd.org (ED2= 5519) >=20 > And the ssh-keys file is available on the project site, signed with > security-officer's key: >=20 > https://www.freebsd.org/internal/ssh-keys.asc >=20 > And in that file's header: > """ > Note that all machines listed below also have signed SSHFP records in > DNS. If you have a DNSSEC-aware resolver and set VerifyHostKeyDNS to > "ask" or "yes" in ~/.ssh/config, OpenSSH will verify host keys against > these SSHFP records. > """ Awesome! Thanks for the clarification! Thanks, --=20 Shawn Webb Cofounder / Security Engineer HardenedBSD GPG Key ID: 0xFF2E67A277F8E1FA GPG Key Fingerprint: D206 BB45 15E0 9C49 0CF9 3633 C85B 0AF8 AB23 0FB2 https://git-01.md.hardenedbsd.org/HardenedBSD/pubkeys/src/branch/master/Sha= wn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc --f7x6mvr3uryud7cy Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEA6TL67gupaZ9nzhT/y5nonf44foFAl/v1qMACgkQ/y5nonf4 4fofSQ//eqjfiHDWmJlHUWaHjaYCJNwHrm2CCqacaPWEMjk2rJFm654n6EGYsS5S aAi77DuMYtkC9hUHKdlFqmvRmNxiFXe+R686XBOHYD1fv6Lwayq83phuoNr5Vi3l ORgqKUa15D4SgqOInq1yP8t/LHs9b6+/PSRN65R9cajzn3F7I8e4rDyzmEZR6T+P r40vkNoViciYl3YGom6a1RPV/ZkoR5yXlLQ1vi1BzM17QNyno6cUfH5odkbvZj+1 b/unuS4Poa1qQuR6Phzp54Fde/+NLdz3XmVFmo0iGO/4qyr9IIP+0chduJ3hvyfU NiESuspOjLdhLgBgnphMdZQbIxJc/NMbEC8ffabNOt4kSUvtz1IBnOivusql0PnL XsZK0A0xdy7pysSWhwFtXiBGG8r4jtRaNArDcJVNN9F3gUmY9Z4Icr/cfXN6/COf 460mY+4ehJnJfvKgl4G0zoYkdg/d/T5eeTCWARLTabXmQycQq4oegI5QKxkLCrV7 Zbgu0yf0V6jlSbeBweMpkSrdVvDP/WVgtRZCOovRP42C2Zn4xKQh+3J1Z/J69vfG D3N5ApliCYQH3PiAMkZ4eivxSSyM4YodAA+3eUebnds5agpq+F1aP0uLSJW4EQuc 4WPt2h1A351OLg234/kUhANYw22syI9+/4Vlos++AqKrp3V4c4c= =wUoA -----END PGP SIGNATURE----- --f7x6mvr3uryud7cy--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20210102021254.35o3snqb5fcvmbt3>