Demi M. Obenour <[email protected]> wrote: > On 2019-12-09 10:33, Theo de Raadt wrote: > > Demi M. Obenour <[email protected]> wrote: > > > >> Would it be possible to include the default AnonCVS mirrors’ SSH > >> fingerprints in the default ssh_known_hosts? > > > > There is no default ssh_known_hosts file. > > > >> If not, could it be included in another file in the base system? > > > > And teach users to trust us, rather than following best practice > > of doing signature checks? No way. > > I would be more than happy to do signature checks. The problem is that > I have no idea where I can find a signed list of those fingerprints, > or another way of verifying them. That’s why I asked! > > If OpenBSD used GPG-signed Git commits or similar, I could verify > that, but it does not. That isn’t meant as a criticism, BTW. > It just means that if I want to follow the -current source repository, > I need some way to verify the authenticity of the source code. > > If there is something wrong with my reasoning, I would love to know.
the project doesn't run the anoncvs servers. we are not able to provide you with a list which has more validity than your own checks.
