tech-userlevel archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: [PATCH] HTTPS/TLS CA certificates in base

> Date: Wed, 23 Aug 2023 16:29:21 -0400
> From: Thor Lancelot Simon <>
> I would like to be sure we will avoid any use of public CA's certificates
> to establish trust for upgrades of NetBSD itself, or of packages.  Otherwise,
> we will find ourselves in a situation where we can never recover if a CA
> goes rogue.

Well, right now, there's _nothing_ used to automatically verify binary
upgrades or packages, so it's already worse than the problem you're
alluding to.  (The only authenticated end-to-end path is source-only.)

With the change, the public CA certificates would be available to
validate TLS/HTTPS connections used to download sets and packages in
transit, at least (cdn-to-end, that is -- still not end-to-end).

But these will not be used to verify signatures on binary upgrades or
packages at rest (end-to-end, i.e., builder-to-end), if that's what
you're asking.

The public CA certificates may still be used _on top_, of course, by
doing downloads through HTTPS, but not for verifying signatures on the
binary sets/packages (or manifests of them) from the origin.  Separate
plans for that, more to come later.

Home | Main Index | Thread Index | Old Index