Where's the fingerprints and sigs? (was: Please check the current beta git conversions)

[grarpamp]

On 9/1/20, Shawn Webb <shawn.webb at hardenedbsd.org> wrote:
> I'm curious if there's any plans for read-only access over ssh.
> Trusting FreeBSD's ssh key material is likely easier than trusting
> HTTPS in certain regions.

A bit moot when such key materials of all services, and repos,
and ticketing, and reviews, and builds, and downloads, and
packages, forums, and git hashtree initialization first hashes, and
pubkey modulus not just the larger DER's by untrusted/attacking CA's,
etc... are all not sha-256 fingerprint signed and attested to in a base
included textfile, in repo and on website, etc by security officer keys
having good WoT... for users to reference, import, validate, pin down, etc.
And tools for accessing such services often not have fingerprint
pinning options.
Woes be to those using such untrustable massively MITM'd and
spied upon networks as the Internet, Workplace, Home, Travel,
VPN, WiFi, Tor Exits, etc not having any way to authenticate
fingerprints and pin such services back to their favorite OS
project's security apostille office yet.

Security vaunted OpenBSD still serves up via cleartext non-hashtree
anoncvs on non-ecc harware on non-zfs-skein filesystems etc...

So the BSD world must still be thought secure, bit integral, and
trustably accessible without any of these infrastructure tool
fingerprint sig and pin basics... still no need to supply them since
decades since TLS/SSH/etc were deployed...

Right?

Not.

Cheers all :)

[Same for Linux ;]