On Wed, 2016-05-25 at 17:22 -0600, Theo de Raadt wrote: > > Well, you could certainly put the key and signify sources on the main > > website. The CVS thing doesn't seem to be HTTPS-enabled. > > You mean like here? [...]
Oops, I completely missed those. I was looking at the download page and install guide. > > Can you find a bogus version of the signify source code? > Actually, digging deeper it seems anoncvs is protected by SSH and the fingerprints are available on the site, so that's fine too. > Will you trust the compiler you build it with? > Will you trust the operating system you compile it on? > Will you trust the machine you are using? Yes, that's reasonable. > You should get the feeling that we believe you are one of those > demanding types that read a PGP book a few years ago and wants > to tell the world it should be done that way. Or else, if we > don't do what you want, then we are jerks. So it would seem that everything needed to get OpenBSD is in place, thanks for the information. It isn't obvious from the guide, though. By the way, I'm not hung up on PGP at all, just on verifying downloads. > Sorry, I see it the other way around.
