[lfs-dev] Security Certificate for linuxfromscratch.org

Tim Tassonis stuff at decentral.ch
Mon Aug 22 01:29:34 PDT 2016



On August 22, 2016 10:08:42 Paul Menzel <pmenzel at molgen.mpg.de> wrote:

> Dear Bruce,
>
>
> On 08/22/16 05:47, Bruce Dubbs wrote:
>> Rical Jasan wrote:
>>> Dudes and Dudettes,
>>>
>>> Why do you not have a certificate for your site?  Send me a CSR,
>>> and I will get one for you.
>>
>> It is not needed.  Everything is public.
>
> It’s not only about encryption. It’s about authentication. Right now,
> visitors have no way to determine if they are talking to the “real” LFS
> server or some other server claiming to be the LFS server.


What  I truly wonder: was it really you that wrotw this previous reply? I 
have no way to tell. Maybe we shuold start using S/MIME for email signing, 
whit everyone buying a SSS Client Certificate from a commercial vendor?

We then also have to fully protect the server's private key, so nobody can 
steal it and run a fake LFS server with daulty recipees for glibc, gcc and 
binutils,,and trick everyone by clever dns cache poisinig attacks. We 
definitel have to implement secur DNSSEC first. As systemd's networkd 
provides that, we should soon all be ok.

>
> So I would welcome it too, if the Web site would be securely accessible
> over HTTPS.
>
>
> Best regards,
>
> Paul
> --
> http://lists.linuxfromscratch.org/listinfo/lfs-dev
> FAQ: http://www.linuxfromscratch.org/faq/
> Unsubscribe: See the above information page




More information about the lfs-dev mailing list