NetBSD/crypto/external
jym c8b47a469d Enable VerifyHostKeyDNS (SSHFP records verification) from DNS for hosts
under NetBSD.org domain.

Multiple TNF hosts have an up-to-date SSHFP record inside the DNS.
This offers a second channel verification for host key fingerprints
(weaker than known_hosts, but spoofing a host on first connect would
also require DNS forgery).

This can provide a trusted second channel (like DANE TLSA records) once
DNSSEC gets more widely used, but for now it is purely informational.

No regression expected, except that the ssh client will print a message
upon first connect to confirm/infirm that it got a correct SSHFP record
from DNS.

Only done for NetBSD.org domain, SSHFP are sadly more an exception than
the rule.

Notified on netbsd-users@, no objection after a week -- committed.
2013-10-06 17:25:34 +00:00
..
bsd Enable VerifyHostKeyDNS (SSHFP records verification) from DNS for hosts 2013-10-06 17:25:34 +00:00
cpl add libcrypto; needed by new binutils 2013-09-29 13:34:37 +00:00
Makefile need bsd.own.mk 2013-02-12 20:55:37 +00:00
README description of cpl 2012-01-28 01:30:42 +00:00

$NetBSD: README,v 1.3 2012/01/28 01:30:42 christos Exp $

Organization of Sources:

This directory hierarchy is using an organization that separates
crypto source for programs that we have obtained from external third
parties (where NetBSD is not the primary maintainer) from the system
source.

This README file is derived from the README file in src/external.

The hierarchy is grouped by license, and then package per license,
and is organized as follows:

	crypto/external/

	    Makefile
			Descend into the license sub-directories.

	    <license>/
			Per-license sub-directories.

		Makefile
			Descend into the package sub-directories.

		<package>/
			Per-package sub-directories.

		    Makefile
			Build the package.
			
		    dist/
			The third-party source for a given package.

		    bin/
		    lib/
		    sbin/
			BSD makefiles "reach over" from these into
			"../dist/".

This arrangement allows for packages to be easily disabled or
excised as necessary, either on a per-license or per-package basis.

The licenses currently used are:

	bsd		BSD (or equivalent) licensed software, possibly with
			the "advertising clause".
	cpl		Common Public License
			http://www.opensource.org/licenses/cpl1.0

If a package has components covered by different licenses
(for example, GPL2 and the LGPL), use the <license> subdirectory
for the more restrictive license.

If a package allows the choice of a license to use, we'll
generally use the less restrictive license.

If in doubt about where a package should be located, please
contact <core@NetBSD.org> for advice.


Migration Strategy:


Eventually src/dist (and associated framework in other base source
directories) and src/gnu will be migrated to this hierarchy.


Maintenance Strategy:

The sources under src/crypto/external/<license>/<package>/dist/ are
generally a combination of a published distribution plus changes
that we submit to the maintainers and that are not yet published
by them.

Make sure all changes made to the external sources are submitted
to the appropriate maintainer, but only after coordinating with
the NetBSD maintainers.