From owner-freebsd-security@freebsd.org Sat Sep 19 03:45:33 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 85B1B3F953D for ; Sat, 19 Sep 2020 03:45:33 +0000 (UTC) (envelope-from grarpamp@gmail.com) Received: from mail-ej1-x641.google.com (mail-ej1-x641.google.com [IPv6:2a00:1450:4864:20::641]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Btc6h2m4Dz4XPy for ; Sat, 19 Sep 2020 03:45:31 +0000 (UTC) (envelope-from grarpamp@gmail.com) Received: by mail-ej1-x641.google.com with SMTP id i26so10585709ejb.12 for ; Fri, 18 Sep 2020 20:45:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=Ctw9XN0tpQ45poYZaiOQivyiH1adz8yBEXeggEHEuTM=; b=cu/3bk8PXXCLXuWZkYC19s8UCtFjkqZfZliH6hwdIp8hhPE9YyzAU31YRUzKv52+zM VV4ytuhWfL9CWnKWkXKAZ4LSogR5uYcumoqY27TU+/waUdN3EZc2yYswnM/8Rda3iX+C /xy3SAhfBlmMdSsqfPOF1O5bibGXH0K1vn6F/91VDrRESdn0xmhN1OlxZ8AK1vjlzUeR 69sWDlptk2eJG4QIMEkoN/xuowjNissWB0Qa56ToDChtxd22X1uUD1zqEnU558DQsD3W t5BGKjXzkhWQjF5rJDZGti5VTLWMQG/gPOA+lb5wpzGy3XMRUJLL1OEnU1KG+5ttK2mz fXfA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=Ctw9XN0tpQ45poYZaiOQivyiH1adz8yBEXeggEHEuTM=; b=mNCtWHJYbfn41DRRTTjCFScfNOj/RLp94GzhlVHIeuA4XRCjQuos+NzMrw1KWTkXKD GO0nTUxbV4pIHqMkwkHOGhTC6dBO4kIEExURBg+atw9mtRHxoHWF5Hky1uHMZYFNprGD cMqKKIWIsJJTKeYDANlYQy5/0q6jdEt+t18Uh7y2UmagT2+fUbCgovPUOm1+AHcbRoo1 BnNOgZV3kPEFKcTbtlpuQL7qcaMWZ0whVyJBIw3c5jcui7XQsc1Izmr3wUgVZ10TkgDf rvQNyvHRjQWeMerCjAFKjUFoNfBcYJ+MhVR0qig5K1UfW90Ao1ZzXe59zyaS0r8lE/2n t/fA== X-Gm-Message-State: AOAM530doNT7WJqxOZTugu4Oy8lXegXj0ywFDeTJony5s7AAV2q8vFQB LFasJqJKXiCCa+USBSLwsk4Wo0BRDXdQo9e4ar35Qqr1S0IK8w== X-Google-Smtp-Source: ABdhPJyCYyW8hpCb52TtwyVsI7um4y5l26Q1D05HRcxb5nXjxP7uwySwsGoa4O09aPqSX+luk+tX8jx5ue/wCM2b2rU= X-Received: by 2002:a17:906:9389:: with SMTP id l9mr40159405ejx.537.1600487130380; Fri, 18 Sep 2020 20:45:30 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:ab4:9f4a:0:0:0:0:0 with HTTP; Fri, 18 Sep 2020 20:45:29 -0700 (PDT) In-Reply-To: <20200918112945.GJ26726@FreeBSD.org> References: <20200917204102.GG26726@FreeBSD.org> <20200918001257.GI26726@FreeBSD.org> <20200918112945.GJ26726@FreeBSD.org> From: grarpamp Date: Fri, 18 Sep 2020 23:45:29 -0400 Message-ID: Subject: Re: 12.2R Sigs To: freebsd-security@freebsd.org Content-Type: text/plain; charset="UTF-8" X-Rspamd-Queue-Id: 4Btc6h2m4Dz4XPy X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20161025 header.b=cu/3bk8P; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of grarpamp@gmail.com designates 2a00:1450:4864:20::641 as permitted sender) smtp.mailfrom=grarpamp@gmail.com X-Spamd-Result: default: False [-3.20 / 15.00]; RCVD_TLS_ALL(0.00)[]; ARC_NA(0.00)[]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20161025]; NEURAL_HAM_MEDIUM(-0.93)[-0.930]; FROM_HAS_DN(0.00)[]; FREEMAIL_FROM(0.00)[gmail.com]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; TO_DN_NONE(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; NEURAL_HAM_LONG(-1.02)[-1.025]; R_SPF_ALLOW(-0.20)[+ip6:2a00:1450:4000::/36]; DKIM_TRACE(0.00)[gmail.com:+]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; RCVD_IN_DNSWL_NONE(0.00)[2a00:1450:4864:20::641:from]; NEURAL_HAM_SHORT(-0.25)[-0.250]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2a00:1450::/32, country:US]; RCVD_COUNT_TWO(0.00)[2]; MAILMAN_DEST(0.00)[freebsd-security]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 19 Sep 2020 03:45:33 -0000 > [src's] included on the > installation medium for reproducibility Wherever the src.tgz, they should not be considered to be unbreakable reproducible bitwise duplicate authentic or traceable back to any repo since there is no provable cryptographic chain back to same, only assertions over the breaking points, which can and do fail in various ways. Distributed cloneable distributable repo's based on crypto are needed to do that, perhaps such as Monotone, or at least sign Git's init hash. https://monotone.ca/ https://git-scm.com/ > announce.asc file is only created for the final RELEASE build Yes as those are nice milestones :)