Many users who would like to test OpenBSD would be pleased about the possibility to purchase or download OpenBSD as DVD. Most users have a DVD or even a Blue Ray drive these days and I believe that the installation should be as comfortable as possible if you wanna gain new users. A DVD with the full set of packages for installation as well as providing the whole set of OpenBSD software for live system boots would be possible as you can get approx 2*3 CDs on a singleton DVD. The additional possibility to boot a genuinely downloaded OpenBSD DVD (not a self assembled one or a live DVD from a third party) will even be critical towards many use cases concerning security. Sometimes at least if you can trust the BIOS of the machine you want to boot from a non-alterable live medium and want to reboot after any possible security incident (f.i. visiting an untrustworthy website). Even if you install on hard drive having a singleton DVD for installation and verification can be an essential advantage as you wanna verify whether files have been altered on hard disk (and I have already spotted numerous intrusions this way). Some people may ask whether keeping it on DVD will just alleviate to verify integrity but not authenticity. Sure you have to ascertain the authenticity of your download at least once but then you can keep the sha256/512sum with you and ascertain auth. by keeping integrity. Both domains are closely linked together and you can f.i. add auth to integr. by signing the sha-lists of the files a package contains (though signing is not a silver bullet as the secret keys tend to be stolen systematically by intelligence services). Sometimes you can get a higher degree of auth. by making several anonymous download attempts because lost integrity on some downloads or the downloads in a given area could be easily spotted by the providers of the download. Nonetheless to improve auth I would suggest to ship your secret key with a live medium that can be purchased in newspaper shops like the System Rescue CD (http://www.sysresccd.org/forums/viewtopic.php?f=6&t=5208); apart from approaches like DANE/DNSSEC (http://www.mail-archive.com/[email protected]/msg33596.html) which can not provide the ultimate silver bullet either.
Elmar Stellnberger
