Date: Fri, 18 Sep 2020 23:45:29 -0400 From: grarpamp <grarpamp@gmail.com> To: freebsd-security@freebsd.org Subject: Re: 12.2R Sigs Message-ID: <CAD2Ti2_nRg84TKUNGchKQWwxLRw3r%2BLgP-1E1E=txSBrh7iDdA@mail.gmail.com> In-Reply-To: <20200918112945.GJ26726@FreeBSD.org> References: <CAD2Ti2-YFpWp3-Ctc%2BraDhrW=4GQ0oQvX2Uau9QHrxU3yTS-ag@mail.gmail.com> <20200917204102.GG26726@FreeBSD.org> <CAD2Ti2_ewtpH5wiZZKB=p%2B2u2%2BUpRGuD%2BtpF55NDP%2BFuNU8XrA@mail.gmail.com> <20200918001257.GI26726@FreeBSD.org> <CAD2Ti28c74jVbt2u9X1M7GHf%2B4d4YuZAQbDTg8rftBFNQZjpGQ@mail.gmail.com> <20200918112945.GJ26726@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
> [src's] included on the > installation medium for reproducibility Wherever the src.tgz, they should not be considered to be unbreakable reproducible bitwise duplicate authentic or traceable back to any repo since there is no provable cryptographic chain back to same, only assertions over the breaking points, which can and do fail in various ways. Distributed cloneable distributable repo's based on crypto are needed to do that, perhaps such as Monotone, or at least sign Git's init hash. https://monotone.ca/ https://git-scm.com/ > announce.asc file is only created for the final RELEASE build Yes as those are nice milestones :)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAD2Ti2_nRg84TKUNGchKQWwxLRw3r%2BLgP-1E1E=txSBrh7iDdA>