http subversion URLs should be discontinued in favor of https URLs

Bakul Shah bakul at bitblocks.com
Tue Dec 12 18:09:33 UTC 2017


On Tue, 12 Dec 2017 14:28:08 +0000 "Poul-Henning Kamp" <phk at phk.freebsd.dk> wrote:
> 
> For the FreeBSD SVN tree, this could almost be as simple as posting
> an email, maybe once a week, with the exact revision checked out
> and the PGP signed output of:
> 
> 	svn co ... && find ... -print | sort | xargs cat | sha256
> 
> Such an archive would also be invaluable for reauthenticating in
> case, somebody ever manages to do something evil to our repo.

Sort of a public ledger. I have a vague memory of some project
*publishing* a crypto fingerprint of a collection of documents
in a well-known newspaper....  I think it was this one:

    https://www.technologyreview.com/s/402961/fingerprinting-your-files/

    Computing hashes of hashes is also the basis of a secure
    timestamp service invented by Stuart Haber and Scott
    Stornetta while the two were at Bellcore in 1990. The
    service, called Surety, makes it possible to generate a
    cryptographically secure and unforgeable proof that a
    given document, photograph, or other file existed at a
    particular time on a particular date and that it hasnt
    been changed since.

    The Surety technique works by computing a hash tree based
    on the hash codes of every document being time-stamped.
    The root of the tree is then published in a well-known
    locationit could, for example, be printed in a classified
    advertisement in the New York Times. You can prove that
    your document existed on the day in question by showing
    that your documents fingerprint was needed to generate the
    fingerprint-of-fingerprints that appeared in the
    newspaper.

Nowadays can you even trust NYT?!


More information about the freebsd-security mailing list