Em 26-03-2014 16:59, Theo de Raadt escreveu:
>> On 2014-03-26, Giancarlo Razzolini <grazzol...@gmail.com> wrote:
>>> If your siteXX has
>>> sensible information you can use ssl with authentication.
>> The installer doesn't include openssl.
> Funny, Stuart.
>
> My processs is to always look at the size of a statically linked
> binary to make a guess as to whether it could go onto the installer.
> At the very least, it should fit.
>
> (Whether it belongs there is a different question)
>
> For this check, the vax is convenient. Binaries are still static.
> They are actually smaller than they might be on other architectures,
> so let's compare:
>
> text data bss dec hex
> 1406523 42740 41692 1490955 16c00b
>
> Wow. Only a small part of that is libc code that might be shared by
> other stuff on the "instbin" binary which makes the install media
> work.
>
> Whereas the amd64 instbin binary, which contains EVERYTHING you need
> to install is, today:
>
> text data bss dec hex
> 1276644 35040 652568 1964252 1df8dc
>
> Good luck making it fit.
>
Theo,
I agree with you that the installer must be as small as possible,
and still offer a good mix of ways to install the software. With
signify, the security of the underlying security of the protocol being
used in the installation, becomes irrelevant, as long as you trust the
initial key and as long as you are not trying to obfuscate which
platform/sets/packages you are installing.
Personally I don't do network installs, only as last resort. I
prefer using a usb stick. Our OP apparently does not has physical access
to the machines so it has to rely on network installs/upgrades,
whatever. If he can dedicate a machine for making it's own mirror, it's
the best alternative.
It would be nice to have openssl in the installer, but it surely
isn't much of a problem nowadays.
Cheers,
--
Giancarlo Razzolini
GPG: 4096R/77B981BC
