Demi M. Obenour <demiobenour@gmail.com> wrote:
> On 2019-12-09 10:33, Theo de Raadt wrote:
> > Demi M. Obenour <demiobenour@gmail.com> wrote:
> >
> >> Would it be possible to include the default AnonCVS mirrors' SSH
> >> fingerprints in the default ssh_known_hosts?
> >
> > There is no default ssh_known_hosts file.
> >
> >> If not, could it be included in another file in the base system?
> >
> > And teach users to trust us, rather than following best practice
> > of doing signature checks? No way.
>
> I would be more than happy to do signature checks. The problem is that
> I have no idea where I can find a signed list of those fingerprints,
> or another way of verifying them. That's why I asked!
>
> If OpenBSD used GPG-signed Git commits or similar, I could verify
> that, but it does not. That isn't meant as a criticism, BTW.
> It just means that if I want to follow the -current source repository,
> I need some way to verify the authenticity of the source code.
>
> If there is something wrong with my reasoning, I would love to know.
the project doesn't run the anoncvs servers. we are not able
to provide you with a list which has more validity than your own
checks.
No comments:
Post a Comment