On Thu, 6 Sep 2012 08:34:23 +0800 Rowdy OpenBSD wrote: > If the OpenBSD project signed its packages and distribution sets, we > could reasonably assume that they were not compromised between being > signed and our downloading them. Your current processes do not > provide the same degree of assurance, and they require more time and > effort. >
If you re-read my mesages you will see that you and Andres have missed or misread much of what I said. I agree but also said I have far more confidence in the packages I download from OpenBSD mirrors than say for arch linux and also the source the OpenBSD build infrastructure downloads. I also said that it was seen as impractical meaning not worth the developers time as a developer has just told you. > > Checksums can be checked individually with sources whereas signing has > > no relation to the content unless you sign the checksum file. > > ??? > > Obviously, the OpenBSD project would sign the checksum file (and packages). You only need to sign the checksum file which I suggested because I saw it as least work for the building machine devs or project leader, the real problem would be keeping the key secure and still getting snapshots out every 3 days, meaning the correct checksums should be kept safe in any case as it would be easier to steal the key unnoticed than change files and checksums. Again yes it would be a welcome security increase. But note, most of the devs likely use ssh and ports only and so get checksums over ssh. Unfortunately, personally I don't have the time for that much building. For release packages you have to build from ports or can buy a cd anyway. Ssh would be another easy option but I guess the processor usage would increase and third party mirrors become short in supply making upgrades take almost as long as Fedora ;-). As users an option would be creating a web of trust for those checksum files assuming only a few mirrors are ever compromised and making mitm much harder and checking quicker for many. Another issue may be that isn't gpg GNU/GPL and can't be in base.
