Signed hashes of security updates

To: tech-security%NetBSD.org@localhost
Subject: Signed hashes of security updates
From: Vaibhav Gavane <vaibhav.gavane%gmail.com@localhost>
Date: Tue, 23 Jun 2015 13:52:10 +0000

Hello,

It seems that the security updates (i.e. the builds at, say,
nyftp.netbsd.org/pub/NetBSD-daily/netbsd-6-1/) are provided without
any *signed* hashes.

Am I missing/unaware of their location, if they exist?

If not, then the security updates are themselves vulnerable to MITM
attacks. The server (nyftp.netbsd.org) is neither accessible with
HTTPS, nor accessible with guest/anonymous SFTP.

Vaibhav Gavane

Prev by Date: Re: preliminary patch for making blacklistd in sshd configurable
Next by Date: NetBSD Security Advisory 2015-007: OpenSSL and SSLv3 vulnerabilities
Previous by Thread: preliminary patch for making blacklistd in sshd configurable
Next by Thread: Re: Signed hashes of security updates
Indexes:

Home | Main Index | Thread Index | Old Index