From owner-freebsd-security@freebsd.org Thu Oct 3 07:48:12 2019 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 398DF12B75B; Thu, 3 Oct 2019 07:48:12 +0000 (UTC) (envelope-from grarpamp@gmail.com) Received: from mail-io1-xd44.google.com (mail-io1-xd44.google.com [IPv6:2607:f8b0:4864:20::d44]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 46kQ961LfPz3Fx5; Thu, 3 Oct 2019 07:48:09 +0000 (UTC) (envelope-from grarpamp@gmail.com) Received: by mail-io1-xd44.google.com with SMTP id z19so3420643ior.0; Thu, 03 Oct 2019 00:48:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to:cc; bh=ODNEXK1TscdWgLDxhbEZnUv1+je5MDVkheGtcI1vfTI=; b=ScUVgjlQcjZ/bpBQj8HxtK2FaBweH8tEZ8xBPwqifKqycU69+riKDe2epWCcaT1LU/ cbxGAn3xZK9Kr9mYgsraiJfxSHoLOo8zAXgiKzTqGVXUYusgjzyot9PB01UDRe4np6sP 8f/+btSoximHWEu8rcufEIL3SjLDAtAedgS4pgHiskuWc9lgmS1C3RjfE+Ne+OVlWo3p ftm/kEjNVltPYWX0NS0goXp0f3STAubjIXaS6YhKilDmGrH3Zm/m7nxjV3iYJN1klEJh tLhV5KiOP6O+0mM6GM5t9+yf7QlUbR+xAbDQ56i2iZ/D9XDDDbrmA0LsilOaJxD2K4ll Fe7g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc; bh=ODNEXK1TscdWgLDxhbEZnUv1+je5MDVkheGtcI1vfTI=; b=Q6WwCR2FqYsQVc3qKrrD8EikAPfyf3zkPzec4udx41zqC+30XoEK/EcRbsgI3UFIeJ UdyT1/nNO29NBgrcHNUjk9rOtKTB4R66gOGQ0627LAiIfFkYYoVq3+/DZYpltLBQUDUb 4Dmeaxp9uqThHrh8C/n+ZVCX3SfHTKBraJExjqIcDitHqeJ1j+DNOsGm/8J4syY1IAKU Yqfz/tyM36rX/XpPzDhmNMxsAO3eukP8yCAkgpxGDggGi4ho+RSHbHwm0+/+380Q9E7n 83p+pGuvD2WLa0I/AyjORZFjSYdl/QoP36VaVYtAeibfQtsrWXIOS9hxGMUU+8KqYndy WaqA== X-Gm-Message-State: APjAAAXdW1ENtckNLqAMg4Qge7Gd3frIbQecXrlqWqMkMmxOveA/3uSy dMJa38thJelxsW9zHWEm2bv4tB9Pcp/lLcBXqdc49ITu X-Google-Smtp-Source: APXvYqw6Gcrws+Rq+i328Qfhy8s59IjDzB9QaCD3Lorw7SOKvtrwQDTDHVdLexuvakYrBxVcSL7eg3qWqGgtNh6JjSM= X-Received: by 2002:a92:1598:: with SMTP id 24mr8931325ilv.177.1570088888728; Thu, 03 Oct 2019 00:48:08 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a02:9f01:0:0:0:0:0 with HTTP; Thu, 3 Oct 2019 00:48:08 -0700 (PDT) From: grarpamp Date: Thu, 3 Oct 2019 03:48:08 -0400 Message-ID: Subject: AMD Secure Encrypted Virtualization - FreeBSD Status? To: freebsd-security@freebsd.org Cc: freebsd-current@freebsd.org, freebsd-virtualization@freebsd.org Content-Type: text/plain; charset="UTF-8" X-Rspamd-Queue-Id: 46kQ961LfPz3Fx5 X-Spamd-Bar: - Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20161025 header.b=ScUVgjlQ; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of grarpamp@gmail.com designates 2607:f8b0:4864:20::d44 as permitted sender) smtp.mailfrom=grarpamp@gmail.com X-Spamd-Result: default: False [-2.00 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20161025]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36:c]; FREEMAIL_FROM(0.00)[gmail.com]; MIME_GOOD(-0.10)[text/plain]; TO_DN_NONE(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; IP_SCORE_FREEMAIL(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; SUBJECT_ENDS_QUESTION(1.00)[]; DKIM_TRACE(0.00)[gmail.com:+]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; RCVD_IN_DNSWL_NONE(0.00)[4.4.d.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.b.8.f.7.0.6.2.list.dnswl.org : 127.0.5.0]; IP_SCORE(0.00)[ip: (2.27), ipnet: 2607:f8b0::/32(-2.57), asn: 15169(-2.16), country: US(-0.05)]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[]; DWL_DNSWL_NONE(0.00)[gmail.com.dwl.dnswl.org : 127.0.5.0] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Oct 2019 07:48:12 -0000 https://developer.amd.com/sev/ https://github.com/AMDESE/AMDSEV https://arstechnica.com/gadgets/2019/08/a-detailed-look-at-amds-new-epyc-rome-7nm-server-cpus/ http://amd-dev.wpengine.netdna-cdn.com/wordpress/media/2013/12/AMD_Memory_Encryption_Whitepaper_v7-Public.pdf https://libvirt.org/kbase/launch_security_sev.html "AMD is also using its Secure Processor to enable a couple of key features that we believe aren't getting enough attention: Secure Memory Encryption and Secure Encrypted Virtualization. There's an AES-128 engine inside Epyc's memory controller, with the keys managed by the SEP. If SME is enabled in the system BIOS, all RAM in the system will be encrypted using a single key provided by the SEP and decrypted when requested by the CPU. Expanding upon SME, SEV allows guests' allocated RAM to be encrypted with individual keys, separate from the one used by the host operating system." From owner-freebsd-security@freebsd.org Fri Oct 4 00:00:55 2019 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 4F539143E0C; Fri, 4 Oct 2019 00:00:55 +0000 (UTC) (envelope-from grarpamp@gmail.com) Received: from mail-io1-xd41.google.com (mail-io1-xd41.google.com [IPv6:2607:f8b0:4864:20::d41]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 46kqlT5ydvz4t7J; Fri, 4 Oct 2019 00:00:53 +0000 (UTC) (envelope-from grarpamp@gmail.com) Received: by mail-io1-xd41.google.com with SMTP id n26so9606289ioj.8; Thu, 03 Oct 2019 17:00:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=G5KQqjzd8wSb7VfMjU9SQ3LKRqYSvNG84JAE+iQ95vg=; b=Cr+f0zMqZlkkOYl3aoSlb7dKUmWafLTYkmlyw3ZOghVRNaQVA46mJ6Lxk3pDrdVvef rByOVNmmZm6WbTvCUSksobd3YY6WNpP5L85mSzu9S+wx7rDPKk1s7tl51aDJYd5DayzF BJWv0isu4J2CG5dHOeYG7Flfu3txlj7jg19WPVtAgMdrKYS9LYV2DR+RUQtlnYUY2k9b aa+hTfLlUVplbVjD8YYezWz210/QE58Y6qPHuvH48Tpc/Cdqp2eQjU436DYUonsty+0L bZuQo1jVClMWXnCjAI+blJsYmObv4a+W/nHgHOMJUl+fBWOo7nzjmfC5tRB2hLWb9lfa HXXQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=G5KQqjzd8wSb7VfMjU9SQ3LKRqYSvNG84JAE+iQ95vg=; b=lBzK11ImVAX4MjdqAEb51p2qVMklXNaFzn19sv7Bh10n3bhiIun3ZvWhmkmGhBQZ4b IRh5vXthQFjSgQ80CMXGxbcxN3hMvGzAwa0ZXCDsBzv7IMxedwqIh71ZnBZkmvrN+pXE eRw5vjt9Dr2GRB87GA0Cx9hEGfoM1AHdCiqDxc7nOPakabXW42lK1j07tVg0Jz5020pw alKG8qa02ft/n4MZm8qpJKQNc+Cu8ZlggYD4ip2kN9LcTGi1KzkWyICMCUuQkDcw+Ck8 4lNSdLJhGo4ooB1tINiXoc4m0g48yVs88CAaxmul7PdIJPbyCqxeoGtpxb6XkOwHC949 iQ4Q== X-Gm-Message-State: APjAAAVBb/4JWWWgbQN3hDdmYdl9CYm0X2a/cgi5h+g/pivtKraOeGPR bfg+ISDyFFMSkYDPhOB/S6uylrnWs7qqGgTcrr0d32YM X-Google-Smtp-Source: APXvYqxbJEBK/peV7zcX+VoUHQ0LEIo5Nki7mq9eIGBMtyh/R+0a4pgJfNYX59iKgeOPkzhZmwKOGrMo9W30QXHYYDY= X-Received: by 2002:a6b:2bc1:: with SMTP id r184mr10422400ior.146.1570147251646; Thu, 03 Oct 2019 17:00:51 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a02:9f01:0:0:0:0:0 with HTTP; Thu, 3 Oct 2019 17:00:51 -0700 (PDT) In-Reply-To: References: From: grarpamp Date: Thu, 3 Oct 2019 20:00:51 -0400 Message-ID: Subject: Re: AMD Secure Encrypted Virtualization - FreeBSD Status? To: freebsd-current@freebsd.org Cc: freebsd-security@freebsd.org, freebsd-virtualization@freebsd.org Content-Type: text/plain; charset="UTF-8" X-Rspamd-Queue-Id: 46kqlT5ydvz4t7J X-Spamd-Bar: - Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20161025 header.b=Cr+f0zMq; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of grarpamp@gmail.com designates 2607:f8b0:4864:20::d41 as permitted sender) smtp.mailfrom=grarpamp@gmail.com X-Spamd-Result: default: False [-2.00 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20161025]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; FREEMAIL_FROM(0.00)[gmail.com]; MIME_GOOD(-0.10)[text/plain]; TO_DN_NONE(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; RCVD_COUNT_TWO(0.00)[2]; TO_MATCH_ENVRCPT_ALL(0.00)[]; IP_SCORE_FREEMAIL(0.00)[]; IP_SCORE(0.00)[ip: (2.10), ipnet: 2607:f8b0::/32(-2.57), asn: 15169(-2.16), country: US(-0.05)]; DKIM_TRACE(0.00)[gmail.com:+]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; RCVD_IN_DNSWL_NONE(0.00)[1.4.d.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.b.8.f.7.0.6.2.list.dnswl.org : 127.0.5.0]; FROM_EQ_ENVFROM(0.00)[]; SUBJECT_ENDS_QUESTION(1.00)[]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; MIME_TRACE(0.00)[0:+]; RCVD_TLS_ALL(0.00)[]; DWL_DNSWL_NONE(0.00)[gmail.com.dwl.dnswl.org : 127.0.5.0] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Oct 2019 00:00:55 -0000 >> Just whose secure keys do you suggest? I go to a lot of trouble to disable >> secure boot so I can load any operating system I want. Some motherboards have BIOS that allows you to both - Upload your own keys - Delete all the spooky Microsoft keys Read the UEFI Secure Boot specification document. Then paste all the key management specs into a ticket with your motherboard vendor and get on them to publish a BIOS release that has proper key management functions. Some BIOS makers have this as selectable options in their BIOS reference build routines... ie: the motherboard maker doesn't have to write any code, they just point and click, and the option appears in a BIOS release for mobo end user customers. Sometimes you have to bug and escalate the mobo makers and threaten to walk your next purchase to another mobo maker to get them to cut and post the new BIOS release. https://www.uefi.org/ https://uefi.org/learning_center/papers https://uefi.org/specsandtesttools https://uefi.org/sites/default/files/resources/UEFI_Spec_2_8_final.pdf https://uefi.org/sites/default/files/resources/UEFI_Secure_Boot_in_Modern_Computer_Security_Solutions_2019.pdf https://uefi.org/sites/default/files/resources/UEFI%20Forum%20White%20Paper%20-%20Chain%20of%20Trust%20Introduction_2019.pdf > The goal would be not to disable secure boot and have FreeBSD running > with a secured bootloader :-) > > At the moment we have insecure boot + insecure kernel + possible > encrypted data partition.. > would be really nice also to get UEFI BOOT compatible with SECURE BOOT :-) Yes. From owner-freebsd-security@freebsd.org Fri Oct 4 17:11:09 2019 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 7A55D133559; Fri, 4 Oct 2019 17:11:09 +0000 (UTC) (envelope-from rollingbits@gmail.com) Received: from mail-qt1-x830.google.com (mail-qt1-x830.google.com [IPv6:2607:f8b0:4864:20::830]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 46lGcD4KR4z4ZXK; Fri, 4 Oct 2019 17:11:08 +0000 (UTC) (envelope-from rollingbits@gmail.com) Received: by mail-qt1-x830.google.com with SMTP id c21so9464795qtj.12; Fri, 04 Oct 2019 10:11:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=content-transfer-encoding:from:mime-version:subject:date:message-id :references:cc:in-reply-to:to; bh=luVViQahG/PmQMwMu8qRx/BD4SjbdNDvP13lh2ySFdQ=; b=fHdE0dzK+dXvIVlA02gsdTC8+4/23/rb8pEptm9sRgh78hJYg4OsVLxucpJkYHodMR 0hLHU+brfki9BiEJMSVPDlivSsTdXIKfESAILBbW55vsz+6XrqgLgMvMfSjKHymB2UL2 7lCeX7URlQp1RDeZyk0Vx/6yUqPS3iLkqxTZhyQngZjrds4Y3zvrV9qeg405SeqJBEDY YZ0SDZjQ3o464fMg3ogwv0mDHtRD0/dR9WOLAfi3/vWkzZjia0OhDA6zbtyuLFZbk0yj ryam8U6fyXDhSf64SZVZ7f/qRLCk7/GjUoPIF86Z6EfZaPsfSgOsiTaabeUUkBcmk2Hk zPLA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:content-transfer-encoding:from:mime-version :subject:date:message-id:references:cc:in-reply-to:to; bh=luVViQahG/PmQMwMu8qRx/BD4SjbdNDvP13lh2ySFdQ=; b=c1JHQCiU9ZYKZEnKOy2PlBFPq9o2ZKuLJrG4Ef/rk/lMQcKL6h2ttlhMWYPdFuOqvG DjtYxUsp1Hd+ZIjdUqhIhDwhCPser+cPgbzFljzEIRjQRIIXvFx4DOv1x0hFi+evm80M kWIBCZZrXm3cHEdysIJ8SKDI8Z917wW79lHn9VWDASNbaE0XZW9fZqWlrO2zwtOuGbHU 77p+oPRqCsVmRx4hiaYmhH9oowsvjVFJJrHgX7YnwhoD7PhXsmCgMXiD4f3Ly0RmUGg9 xCqcK+ffJ71ZtRg2OpdsedaSZuVJfbL057jV5Dj1W0pflo8v5JtN1pMveI1vxLE1dNli BnzA== X-Gm-Message-State: APjAAAX+Edcd5CJEgEnqhTOnLTLcMfsKcXzQO9JztlZdNkTOsoHIPUHo VU44mssC8wWMnLNBAyuSt7Vp3KAp X-Google-Smtp-Source: APXvYqw/2/8PO9uzb/LHP6Hsu47LsHPbQzi9dwocbnIQs9qnZoppyxxxrZN0x7HABI3jGLBMPLgqaA== X-Received: by 2002:ac8:7346:: with SMTP id q6mr16902388qtp.323.1570209066944; Fri, 04 Oct 2019 10:11:06 -0700 (PDT) Received: from ?IPv6:2804:388:e060:817e:40da:6f71:7d9a:55fa? ([2804:388:e060:817e:40da:6f71:7d9a:55fa]) by smtp.gmail.com with ESMTPSA id c12sm3413519qkc.81.2019.10.04.10.11.05 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 04 Oct 2019 10:11:05 -0700 (PDT) From: =?utf-8?Q?Lucas_Nali_de_Magalh=C3=A3es?= Mime-Version: 1.0 (1.0) Subject: Re: Git/Mtn for FreeBSD, PGP WoT Sigs, Merkel Hash Tree Based Date: Fri, 4 Oct 2019 14:11:03 -0300 Message-Id: <252308D7-D927-4770-92B4-9CD4E6EF13DB@gmail.com> References: Cc: freebsd-security@freebsd.org, freebsd-hackers@freebsd.org, freebsd-questions@freebsd.org In-Reply-To: To: grarpamp X-Mailer: iPhone Mail (17A861) X-Rspamd-Queue-Id: 46lGcD4KR4z4ZXK X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20161025 header.b=fHdE0dzK; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of rollingbits@gmail.com designates 2607:f8b0:4864:20::830 as permitted sender) smtp.mailfrom=rollingbits@gmail.com X-Spamd-Result: default: False [-2.50 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; TO_DN_SOME(0.00)[]; FREEMAIL_FROM(0.00)[gmail.com]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; MV_CASE(0.50)[]; RCVD_COUNT_THREE(0.00)[3]; DKIM_TRACE(0.00)[gmail.com:+]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; FREEMAIL_TO(0.00)[gmail.com]; FROM_EQ_ENVFROM(0.00)[]; IP_SCORE(0.00)[ip: (-9.33), ipnet: 2607:f8b0::/32(-2.56), asn: 15169(-2.16), country: US(-0.05)]; MIME_TRACE(0.00)[0:+,1:+,2:~]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; MID_RHS_MATCH_FROM(0.00)[]; DWL_DNSWL_NONE(0.00)[gmail.com.dwl.dnswl.org : 127.0.5.0]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20161025]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[4]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; IP_SCORE_FREEMAIL(0.00)[]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCVD_IN_DNSWL_NONE(0.00)[0.3.8.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.b.8.f.7.0.6.2.list.dnswl.org : 127.0.5.0]; RCVD_TLS_ALL(0.00)[] Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.29 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Oct 2019 17:11:09 -0000 > On Sep 20, 2019, at 6:04 PM, grarpamp wrote: >=20 > =EF=BB=BF[broken links fixed] >=20 > For consideration... >=20 > SVN really may not offer much in the way of native > internal self authenticating repo to cryptographic levels > of security against bitrot, transit corruption and repo ops, > external physical editing, have much signing options, etc. > Similar to blockchain and ZFS hash merkle-ization, > signing the repo init and later points tags commits, > along with full verification toolset, is useful function. [...] > Note also CVS, which some BSD's still use (ahem: Open, Net), > is even worse than SVN with zero protection > at all in any component regarding this subject. >=20 > It really time to migrate repo tech to year 2020. Are you sure you are talking about plain text files?May I suggest get rid of= the binary only part instead? I imagine how painful it is to do a 'git chec= kout' of many GiB of data. TeXLive is worth a few and is an eternity here. Lc --=20 rollingbits =E2=80=94 =F0=9F=93=A7 rollingbits@gmail.com =F0=9F=93=A7 rollin= gbits@terra.com.br =F0=9F=93=A7 rollingbits@yahoo.com =F0=9F=93=A7 rollingbi= ts@globo.com =F0=9F=93=A7 rollingbits@icloud.com