> Em 26-03-2014 16:59, Theo de Raadt escreveu: > >> On 2014-03-26, Giancarlo Razzolini <grazzol...@gmail.com> wrote: > >>> If your siteXX has > >>> sensible information you can use ssl with authentication. > >> The installer doesn't include openssl. > > Funny, Stuart. > > > > My processs is to always look at the size of a statically linked > > binary to make a guess as to whether it could go onto the installer. > > At the very least, it should fit. > > > > (Whether it belongs there is a different question) > > > > For this check, the vax is convenient. Binaries are still static. > > They are actually smaller than they might be on other architectures, > > so let's compare: > > > > text data bss dec hex > > 1406523 42740 41692 1490955 16c00b > > > > Wow. Only a small part of that is libc code that might be shared by > > other stuff on the "instbin" binary which makes the install media > > work. > > > > Whereas the amd64 instbin binary, which contains EVERYTHING you need > > to install is, today: > > > > text data bss dec hex > > 1276644 35040 652568 1964252 1df8dc > > > > Good luck making it fit. > > > Theo, > > I agree with you that the installer must be as small as possible, > and still offer a good mix of ways to install the software. With > signify, the security of the underlying security of the protocol being > used in the installation, becomes irrelevant, as long as you trust the > initial key and as long as you are not trying to obfuscate which > platform/sets/packages you are installing. > > Personally I don't do network installs, only as last resort. I > prefer using a usb stick. Our OP apparently does not has physical access > to the machines so it has to rely on network installs/upgrades, > whatever. If he can dedicate a machine for making it's own mirror, it's > the best alternative. > > It would be nice to have openssl in the installer, but it surely > isn't much of a problem nowadays.
That's entirely true, but signify only works for the signed base sets. site*.tgz is now a pretty serious outlier. I feel we might have to do a rather large departure from the current model to make that file safe again. I know it is fetched locally, but there is this really twisted dependency on all three files SHA256.sig, SHA256, and index.txt. Regarding safey of site*.gz, placing openssl there is not part of any solution that would work. What are other possible solutions? I do not yet know. One development path may be to remove site*tgz from the main install sequence, and try to handle it in a more special way after base set installs. Even if we have to add an additional question for a while. Then maybe we can develop a better sequence that satisfies the same need. The install scripts are dynamic, something changes in them every release, so this is a natural process.
