On Mon, Dec 15, 2008 at 05:30:32PM +1100, Damien Miller wrote: > On Sun, 14 Dec 2008, spamtester spamtester wrote: > > > It does not matter what faith one places in the pki or webs of trust > > (gpg/pgp style). Most linux distributions have had their packages > > signed for years (for example at ruxcon - an australian security > > conference a large number of participants had openbsd t-shirts > > stickers etc -> if one had a sig / link to a chain it could have been > > spread / if it was on a cd --> key could be compared to what others > > had) . Why not openbsd ? > > Because nobody has implemented it yet. > > > This seems trivial to me.
We actually have all the pieces. Except a decent trust chain. And a few disagreement with when/how we revoke stuff. Heck, we're further along the curve than most others. If you look closely at how packages are built, you can do signatures on the run, since only the packing-list needs to be signed, as *everything else* is checksummed already with a decent hash algorithm.
