On 2019-12-09 10:33, Theo de Raadt wrote: > Demi M. Obenour <demioben...@gmail.com> wrote: > >> Would it be possible to include the default AnonCVS mirrors’ SSH >> fingerprints in the default ssh_known_hosts? > > There is no default ssh_known_hosts file. > >> If not, could it be included in another file in the base system? > > And teach users to trust us, rather than following best practice > of doing signature checks? No way.
I would be more than happy to do signature checks. The problem is that I have no idea where I can find a signed list of those fingerprints, or another way of verifying them. That’s why I asked! If OpenBSD used GPG-signed Git commits or similar, I could verify that, but it does not. That isn’t meant as a criticism, BTW. It just means that if I want to follow the -current source repository, I need some way to verify the authenticity of the source code. If there is something wrong with my reasoning, I would love to know. Sincerely, Demi
signature.asc
Description: OpenPGP digital signature