Is there any way to verify that distribution sets and packages that I
have downloaded have not been tampered with (e.g., by someone with
access to the mirror from which I downloaded them)?
The package system supports signatures, but the packages distributed
on OpenBSD mirrors are unsigned, as is t
>>Is there any way to verify that distribution sets and packages that I
>>have downloaded have not been tampered with (e.g., by someone with
>>access to the mirror from which I downloaded them)?
>>
>>The package system supports signatures, but the packages distributed
>>on OpenBSD mirrors are unsig
> To the OP. When checking I choose a source mirror or two and download
> just the SHA256. There is no sha256 for src.tgz and sys.tgz but you can
> use ssh for the source code by getting the fingerprint once like for
> signatures but tied to servers and not devs.
Thanks for trying to help, Kevin,
> There are significant weaknesses in any process, the majority of which
> occur between the build infrastructure and source providers which
> OpenBSD does a very nice job of.
I'm not sure why you think that's where the majority of problems
occur, but in any case, my point is that using signatures
> I could have answered lots of points that were weak or erroneous in
> this thread but that would just be feeding trolls.
You must be using the term "troll" differently to how the rest of the
world uses it. I have legitimate concerns that I have explained in
detail that no one has yet responded
> I already said there are no plans to start signing things. What more
> is there to discuss?
Two things:
1) Why not? I'd like to know the reasons. I've read the FAQ, I've
checked the archives, and I've read all of the messages in this
thread. The best answer seems to be "because we can't be
6 matches
Mail list logo
