-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEdodNnxM2uiJZBxxxsoi1X/+cIsEFAl3uarAACgkQsoi1X/+c
IsGdVA//acBQCp7lYE9IxumK6NERGohISUVx2vQL2E6s02WkhsfjfzbYv/5lvTAu
lHiJACCwzLIm03TI2NNLO4eEEa2WOjnQd33ybVnh/8wxWkQB5VACXm5rMURO+ndM
zmU9vcnUD4o4EqOf6nsVsEzaFqYfYc7B1KfNIe1FKlyHjONZaWD3lJa3rR40B9Ej
WJuxrXF3qUdYkMur7Q2E+GiBNEUgz4rqcINbxJYjtNbX349scscbTpGa3pNJsDY5
22sTzgZSpM61GCfUZw8/KGfDJRY89S0hVKbp94ZfEpkZORzEEf9JxkD0KQHfcZRm
7vBplRnPipJF8UnJkqpLXGbxFWfu5NVlfmZHGTCiw65cR1cKSG1KTEGul+z0agMd
idQmV+9zLdwAR+xSDG0GbntaVmGGoFrYrTfA4ERM/rjlUaiyXFiMXhtsEORsgH9I
0AP6SoN20pABLBzSM2rZ6ynEWTRGf/2l0t4cYe4H3fGNAXGlt7JNgoLV5yC1NSYM
NUjYvSpIng3k2qI8oIWLv8KWZg9ub99Bqjs1Ma/QsXy98zBlPK70pwrgVnWqpyPE
oyOFs+yiX/EznbzKl9jw91gw7UZ8IaHbedydY2D/vTUaOJ4eDGZnl+9WbEX2zG1l
hDH6XtNOwoY5jZ00F/l7ro2AuA7hjt86mNd4GLNK3bPfgSXDlQo=
=KC+P
-----END PGP SIGNATURE-----
On 2019-12-09 10:33, Theo de Raadt wrote:
> Demi M. Obenour <demiobenour@gmail.com> wrote:
>
>> Would it be possible to include the default AnonCVS mirrors' SSH
>> fingerprints in the default ssh_known_hosts?
>
> There is no default ssh_known_hosts file.
>
>> If not, could it be included in another file in the base system?
>
> And teach users to trust us, rather than following best practice
> of doing signature checks? No way.
I would be more than happy to do signature checks. The problem is that
I have no idea where I can find a signed list of those fingerprints,
or another way of verifying them. That's why I asked!
If OpenBSD used GPG-signed Git commits or similar, I could verify
that, but it does not. That isn't meant as a criticism, BTW.
It just means that if I want to follow the -current source repository,
I need some way to verify the authenticity of the source code.
If there is something wrong with my reasoning, I would love to know.
Sincerely,
Demi
No comments:
Post a Comment