https://svn0.eu.freebsd.org self signed Cert

[Florian Heigl]

Hi,

I wonder if this has been brought up before but didn’t see anything about it.
The EU SVN mirror is running a selfsigned cert, while the US one is running with a public accepted cert.

The documentation has the fingerprint for the certificate, it can be found at:
https://www.freebsd.org/doc/handbook/svn.html


Honestly it would be a lot easier to simply use a valid and public certificate for each of the SVN mirrors.
By now we should all have learned that any, really any slight chance of attack is being abused.

With a self signed cert we offload the problem to all users to actually verify the cert each time they do a fresh checkout. 
Even better, with a self-signed cert we won’t have any CRL support, right? Or is there a CRL provided for them?
(Disclaimer, mostly this depends on that feature “ever” being added to SVN anyway)

I hope this plea reaches the right set of eyes for consideration.
Since the SVN page asks to send any questions to -questions instead of mirrors/infra, i’m sending it here.


tl;dr
Please: ditch any self signed certs from freebsd source and build infra chain.