[lfs-dev] Security Certificate for linuxfromscratch.org

Paul Menzel pmenzel at molgen.mpg.de
Mon Aug 22 02:13:39 PDT 2016


Dear Tim,


On 08/22/16 10:29, Tim Tassonis wrote:

> On August 22, 2016 10:08:42 Paul Menzel <pmenzel at molgen.mpg.de> wrote:
>
>> Dear Bruce,
>>
>>
>> On 08/22/16 05:47, Bruce Dubbs wrote:
>>> Rical Jasan wrote:
>>>> Dudes and Dudettes,
>>>>
>>>> Why do you not have a certificate for your site?  Send me a CSR,
>>>> and I will get one for you.
>>>
>>> It is not needed.  Everything is public.
>>
>> It’s not only about encryption. It’s about authentication. Right now,
>> visitors have no way to determine if they are talking to the “real” LFS
>> server or some other server claiming to be the LFS server.
>
> What  I truly wonder: was it really you that wrote this previous reply?
> I have no way to tell. Maybe we should start using S/MIME for email
> signing, whit everyone buying a SSS Client Certificate from a commercial
> vendor?
>
> We then also have to fully protect the server's private key, so nobody
> can steal it and run a fake LFS server with faulty recipes for glibc,
> gcc and binutils, and trick everyone by clever dns cache poisining
> attacks. We definitely have to implement secure DNSSEC first. As systemd's
> networkd provides that, we should soon all be ok.

I’d agree that using GPG or S/MIME for email would be a good practice, 
and improve the overall situation.

But I think you reply is besides the point. While setting up secure 
access over HTTPS is not perfect, it improves the current situation in 
my opinion.

How much people trust this new way of accessing the Web site, is up to them.


Best regards,

Paul


More information about the lfs-dev mailing list