On 01-10-2014 01:58, Eric Furman wrote:
If you don't realize the the OpenBSD team hasn't thought about, talked
about and argued about these issues to an extremely large extent
then you are very new here.
Nope. I myself participated on these discussions on the past.
You won't see it on these
2014-10-01 3:02 GMT+02:00 Giancarlo Razzolini grazzol...@gmail.com:
OpenBSD do not have any secure way to get things.
Buy a CD. If you don't trust the shop, have it somehow signed by a dev.
Best
Martin
On Tue, Sep 30, 2014 at 4:56 PM, Josh Grosse j...@jggimi.homeip.net wrote:
They happen whenever a fix is backported but not deemed critical enough
or in wide enough use for errata. Here's the first two I found in 5.5-stable,
there may be others but I stopped looking, since you just wanted a
On 2014-10-01 10:29, Alan McKay wrote:
On Tue, Sep 30, 2014 at 4:56 PM, Josh Grosse j...@jggimi.homeip.net
wrote:
They happen whenever a fix is backported but not deemed critical
enough
or in wide enough use for errata. Here's the first two I found in
5.5-stable,
there may be others but I
On Wed, Oct 01, 2014 at 15:33, Martin Schröder wrote:
2014-10-01 3:02 GMT+02:00 Giancarlo Razzolini grazzol...@gmail.com:
OpenBSD do not have any secure way to get things.
Buy a CD. If you don't trust the shop, have it somehow signed by a dev.
I'll note that at the recent EuroBSDCon, nobody
Hi folks,
I've been googling for a couple of hours now and not coming up with much here.
I see how to download the -release source and then verify it, but I
cannot find any way to grab -stable from CVS and do the same. I
guess the only way I do see is to start out with the -release code,
verify
On Tue, Sep 30, 2014 at 10:27 AM, Stefan Olsson
stefan.karl.ols...@gmail.com wrote:
I don't do this myself, but stable=patch branch, i.e. release + patches.
All info you need is really in these two pages:
Yes, I have it working great already. But at no point during that
process does it have me
There are SSH fingerprints published for each of the CVS servers.
Alternatively, you use the patch files which are signed. There aren't so
many of them that's it hard to catch up.
Tim.
On Tue, Sep 30, 2014 at 10:37 AM, Alan McKay alan.mc...@gmail.com wrote:
On Tue, Sep 30, 2014 at 10:27 AM,
On 30-09-2014 11:56, trondd wrote:
There are SSH fingerprints published for each of the CVS servers.
They are published on a clear http page and there is no SSHFP on the
dns. You need to access the anoncvs page from different places, using
different connections/vpns/proxies, to be sure you are
On Tue, Sep 30, 2014 at 11:30 AM, Giancarlo Razzolini grazzol...@gmail.com
wrote:
On 30-09-2014 11:56, trondd wrote:
There are SSH fingerprints published for each of the CVS servers.
They are published on a clear http page and there is no SSHFP on the dns.
You need to access the anoncvs
Sounds like I'll need to go with the signed tarballs for the -release
and then apply the signed patches to get -stable.
Dangit, I already had my process down (building from CVS) and now I
have to change it ...
On 30-09-2014 12:46, trondd wrote:
Sure, you have to somehow verify that the fingerprint is good and
check it against the fingerprint you get when first connecting to the
CVS server. How can you verify that fingerprint is good? I don't know.
SSHFP. DNSSEC. And other ways. But these won't
On Tue, Sep 30, 2014 at 11:57 AM, Giancarlo Razzolini grazzol...@gmail.com
wrote:
Is it good enough to grab the signed source tarball, then checkout from
CVS over it and make sure nothing changed in the process?
No, this won't cut it. Unless you check every line changed, and understand
On Wed, 1 Oct 2014, at 04:46 AM, trondd wrote:
On Tue, Sep 30, 2014 at 11:30 AM, Giancarlo Razzolini
grazzol...@gmail.com
wrote:
On 30-09-2014 11:56, trondd wrote:
There are SSH fingerprints published for each of the CVS servers.
They are published on a clear http page and there is
On Tue, Sep 30, 2014 at 09:44, Alan McKay wrote:
Hi folks,
I've been googling for a couple of hours now and not coming up with much
here.
I see how to download the -release source and then verify it, but I
cannot find any way to grab -stable from CVS and do the same. I
guess the only way
On 2014-09-30, Alan McKay alan.mc...@gmail.com wrote:
Sounds like I'll need to go with the signed tarballs for the -release
and then apply the signed patches to get -stable.
binpatchng can help you with this process.
But note that -stable sometimes has extra commits that don't have errata;
On Tue, Sep 30, 2014 at 4:21 PM, Stuart Henderson s...@spacehopper.org wrote:
binpatchng can help you with this process.
I will have to look into that
But note that -stable sometimes has extra commits that don't have errata;
release+patches is not quite the same thing as -stable.
Can you
On Tue, Sep 30, 2014 at 04:33:35PM -0400, Alan McKay wrote:
On Tue, Sep 30, 2014 at 4:21 PM, Stuart Henderson s...@spacehopper.org
wrote:
binpatchng can help you with this process.
I will have to look into that
But note that -stable sometimes has extra commits that don't have errata;
On 30-09-2014 16:03, Ted Unangst wrote:
In theory, we could sign the ssh fingerprint page, but I don't think
that's a good idea at the current time. There are some issues with
expiring old data.
This would be a significant improvement. If you are 99,99% certain you
got the release right, them
On 2014-09-30, Giancarlo Razzolini grazzol...@gmail.com wrote:
On 30-09-2014 16:03, Ted Unangst wrote:
In theory, we could sign the ssh fingerprint page, but I don't think
that's a good idea at the current time. There are some issues with
expiring old data.
This would be a significant
On 30-09-2014 20:24, Stuart Henderson wrote:
There is no expiry time on a signify signature. If an anoncvs server
were to be compromised such that you could no longer trust its key,
there is no way we could revoke that signed web page. If an attacker
was able to cause you to keep seeing an old
On Tue, Sep 30, 2014, at 09:02 PM, Giancarlo Razzolini wrote:
On 30-09-2014 20:24, Stuart Henderson wrote:
There is no expiry time on a signify signature. If an anoncvs server
were to be compromised such that you could no longer trust its key,
there is no way we could revoke that signed web
22 matches
Mail list logo