Re: CA's TLS Certificate Bundle in base = BAD

Hi. IMHO, bundling certs on base should be mandatory, at least for freebsd.org ones. Without them, how can users download initial certs from ports safely, and without annoying warnings? Maybe limiting initially-bundled certs for freebsd.org ones only on base itself, and forcibly install pkgs ones

Re: CA's TLS Certificate Bundle in base = BAD

On Dec 3, 2022, at 5:26 PM, grarpamp wrote: > > Again, FreeBSD should not be including the bundle in base, if users > choose to, they can get it from ports or packages or wherever else. > Including such bundles exposes users worldwide to massive risks. > You need to do more gpg attestation, pubke

Re: CA's TLS Certificate Bundle in base = BAD

grarpamp, please refrain from addressing so many lists. So many is: * generally poor netiquette * contrary to rules of the road in the FreeBSD Handbook. OpenPGP_signature Description: OpenPGP digital signature

Re: CA's TLS Certificate Bundle in base = BAD

On Sat, Dec 03, 2022 at 08:26:16PM -0500, grarpamp wrote: > there or for some other reason. That's all bad news :( But can be fixed :) > It looks like the FreeBSD mailing list software stripped your attachment with your patch. Can you try sending it again with the patch in-line? -- steve

Re: CA's TLS Certificate Bundle in base = BAD

Again, FreeBSD should not be including the bundle in base, if users choose to, they can get it from ports or packages or wherever else. Including such bundles exposes users worldwide to massive risks. You need to do more gpg attestation, pubkey pinning [1], tofu, and cert management starting from e

Re: Consequences of disabling vtrnd

Hi Max, > If this is not the appropriate place, I apologize. > > Installing on an instance on vultr.com from booting from the standard image > hangs. This is pretty well documented, and the equally well documented > workaround is disabling vtrnd. > > But are there lingering consequences from