Date: Sat, 2 Jan 2021 08:37:14 +0800 From: Li-Wen Hsu <lwhsu@freebsd.org> To: Christian Weisgerber <naddy@mips.inka.de> Cc: freebsd-current <freebsd-current@freebsd.org> Subject: Re: HEADS UP: FreeBSD src repo transitioning to git this weekend Message-ID: <CAKBkRUy_MJDpROVbX=MhvHvdBJTEaYU83cHMHaqsEDcLX4KKRw@mail.gmail.com> In-Reply-To: <slrnruv17k.rlr.naddy@lorvorc.mips.inka.de> References: <20201218175241.GA72552@spindle.one-eyed-alien.net> <20201218182820.1P0tK%steffen@sdaoden.eu> <20201223023242.GG31099@funkthat.com> <20201223162417.v7Ce6%steffen@sdaoden.eu> <20201229011939.GU31099@funkthat.com> <20201229210454.Lh4y_%steffen@sdaoden.eu> <20201230004620.GB31099@funkthat.com> <CAD2Ti2-4xS5n0%2B1oLOHyFh4%2BOCnwtNAAwMkkWzwRVDnt-xmb1Q@mail.gmail.com> <20201231193908.GC31099@funkthat.com> <CAD2Ti2-dKMOx2-k71UyZs1kAGCXPuVwO9ee861oRFNV=aCfuqA@mail.gmail.com> <20210101140857.x3hbci6c4nwi7gl7@mutt-hbsd> <slrnruv17k.rlr.naddy@lorvorc.mips.inka.de>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, Jan 2, 2021 at 4:25 AM Christian Weisgerber <naddy@mips.inka.de> wrote: > > On 2021-01-01, Shawn Webb <shawn.webb@hardenedbsd.org> wrote: > > > This is why I asked FreeBSD to provide anonymous read-only ssh:// > > support for git. I'm very grateful they support it. > > > > One thing that I need to do with the HardenedBSD infrastructure is > > publish on our site the ssh pubkeys of the server (both RSA and > > ed25519). I plan to do that sometime this coming week. I wonder if it > > would be a good idea for FreeBSD to do the same > > The draft FreeBSD Git docs have the SSH fingerprints of the Git > servers. > https://github.com/bsdimp/freebsd-git-docs/blob/main/URLs.md > > Here's one from my own ~/.ssh/known_hosts: > SHA256:y1ljKrKMD3lDObRUG3xJ9gXwEIuqnh306tSyFd1tuZE git.freebsd.org (ED25519) And the ssh-keys file is available on the project site, signed with security-officer's key: https://www.freebsd.org/internal/ssh-keys.asc And in that file's header: """ Note that all machines listed below also have signed SSHFP records in DNS. If you have a DNSSEC-aware resolver and set VerifyHostKeyDNS to "ask" or "yes" in ~/.ssh/config, OpenSSH will verify host keys against these SSHFP records. """ Best, Li-Wen
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAKBkRUy_MJDpROVbX=MhvHvdBJTEaYU83cHMHaqsEDcLX4KKRw>