FreeBSD needs Git to ensure repo integrity [was: 2012 incident]
Mark Andrews
marka at isc.org
Wed Nov 21 03:38:06 UTC 2012
In message <20121121031959.GA30708 at server.rulingia.com>, Peter Jeremy writes:
> On 2012-Nov-20 11:30:59 -0500, Gary Palmer <gpalmer at freebsd.org> wrote:
> >On Tue, Nov 20, 2012 at 11:26:42AM -0500, Eitan Adler wrote:
> >> On 20 November 2012 04:54, xenophon\+freebsd
> >> <xenophon+freebsd at irtnog.org> wrote:
> >> >> As of now:
> >> >>
> >> >> - SVN is *the* source of truth.
> >> >
> >> > Would it be possible to publish FreeBSD's Subversion repository using
> >> > HTTPS, instead of HTTP?
> >>=20
> >> %svn ls https://svn0.us-west.FreeBSD.org/base/
> >
> >You will get a certificate warning. The certificates used do not
> >appear to be officially signed by a recognised CA. The hashes of the=20
> >certificate keys are on the mirror website I pointed out in my email
>
> The certificates are self-signed. Whilst the hashes are published on
> the FreeBSD website, that site is only available via HTTP so there's
> still a bootstrap issue - which I don't have a general solution for.
See DANE, RFC 6698.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the freebsd-security
mailing list