On Fri, Sep 16, 2016 at 02:29:53PM -0400, grarpamp wrote:
Nevermind that they still [1] don't have their release iso's and everything else fully reproduceable and cryptographically traceable back to their source repository, in part because their silly choice of repo (svn) isn't capable of establishing cryptographic provenance over, and distribution of, the source, so unlike signable trees git or monotone there's a big gaping disconnect there. Though they are making good progress on reproduceability.
Oh, and OpenBSD still uses cvs for code authenticity, lol.
Did all BSDs have sound integrity checks when updating or installing new stuff? About 8 years ago Freebsd installed ports and or packages fetching them from plain ftp, without integrity checks IIRC.