new certificate for svn.freebsd.org?
Ben Steel
bhs at precisionforesight.com
Sat Jun 18 20:35:24 UTC 2016
* Matthew Seaman <matthew at FreeBSD.org> [160618 11:21]:
> Even so, the option used to be off by default: the change to 'on by
> default' was made almost exactly a year ago, and there have been
> several changes to the list of certs since, so not having the symlink
> in place indicates either that you haven't updated your ports
> recently, or that you've specifically chosen not to enable the
> symlink. In which case you wouldn't have been able to validate the
> previous cert either.
>
> There really is no excuse for not updating the ca_root_nss port
> immediately there are updates available. Otherwise you can end up
> trusting certificates that have since been shown to be less than
> trustworthy.
>
> That you couldn't verify the cert is not a bug in FreeBSD, but a
> configuration problem in your own system. Not having the right
> fingerprint in the docs certainly is a bug which I'm sure will be
> addressed soon.
Thanks for the warnings, Matthew. In my case, the symlink was in place
in all the relevant jails, just not on the underlying system, which
pre-dated the config change and communicated only with svn.freebsd.org
to update the src and ports trees daily. That key had been manually
verified long ago. I moved the bug report to documentation as soon as I
realized that my lack of a symlink was at fault.
Hope this helps,
Ben
More information about the freebsd-stable
mailing list