I'm new to FreeBSD and want to use it in a professional capacity in a few different roles but I cant seem to wrap my mind around a few questions of trust.
Does FreeBSD have any protection against man-in-the-middle attacks or hacked mirrors for packages or ports? Should I only install off of the CDs if I don't trust the network between my servers and freebsd.org? Are there hashes for the other CDs that come from bsdmall besides disk one?
Also, should I really trust the ports tree unless I examine and understand the source for everything I install? Obviously that is the best solution, and a unique advantage for open source software, but I think it might take me a year or two to develop the skills required. I assume there has to be at least community oversight for community contributed software, but what are the concrete details? If I don't trust community ports of third party software, but must run them for functionality, what should I do? Run everything in its own jail? Should I be doing that anyway? Is learning how to port them myself the only answer? What solutions for the question of trust exist outside of the technological? Why is trusted computing such a joke? How can I stop the nightmares of servers rising up and killing all humans??
Honestly, any resources or discussions on the subject of trust, and how to deal with it as a sysadmin without going insane, would be greatly appreciated. I know it is impossible to be absolutely sure, but I don't know where the line between trusted and untrusted should be or how to determine where I am in relation to it.
Does FreeBSD have any protection against man-in-the-middle attacks or hacked mirrors for packages or ports? Should I only install off of the CDs if I don't trust the network between my servers and freebsd.org? Are there hashes for the other CDs that come from bsdmall besides disk one?
Also, should I really trust the ports tree unless I examine and understand the source for everything I install? Obviously that is the best solution, and a unique advantage for open source software, but I think it might take me a year or two to develop the skills required. I assume there has to be at least community oversight for community contributed software, but what are the concrete details? If I don't trust community ports of third party software, but must run them for functionality, what should I do? Run everything in its own jail? Should I be doing that anyway? Is learning how to port them myself the only answer? What solutions for the question of trust exist outside of the technological? Why is trusted computing such a joke? How can I stop the nightmares of servers rising up and killing all humans??
Honestly, any resources or discussions on the subject of trust, and how to deal with it as a sysadmin without going insane, would be greatly appreciated. I know it is impossible to be absolutely sure, but I don't know where the line between trusted and untrusted should be or how to determine where I am in relation to it.