> Date: Wed, 23 Aug 2023 16:29:21 -0400 > From: Thor Lancelot Simon <t...@panix.com> > > I would like to be sure we will avoid any use of public CA's certificates > to establish trust for upgrades of NetBSD itself, or of packages. Otherwise, > we will find ourselves in a situation where we can never recover if a CA > goes rogue.
Well, right now, there's _nothing_ used to automatically verify binary upgrades or packages, so it's already worse than the problem you're alluding to. (The only authenticated end-to-end path is source-only.) With the change, the public CA certificates would be available to validate TLS/HTTPS connections used to download sets and packages in transit, at least (cdn-to-end, that is -- still not end-to-end). But these will not be used to verify signatures on binary upgrades or packages at rest (end-to-end, i.e., builder-to-end), if that's what you're asking. The public CA certificates may still be used _on top_, of course, by doing downloads through HTTPS, but not for verifying signatures on the binary sets/packages (or manifests of them) from the origin. Separate plans for that, more to come later.
