> Many users who would like to test OpenBSD would be pleased about the > possibility to purchase or download OpenBSD as DVD. > Most users have a DVD or even a Blue Ray drive these days and I believe that > the installation should be as comfortable as > possible if you wanna gain new users. A DVD with the full set of packages for > installation as well as providing the whole set of > OpenBSD software for live system boots would be possible as you can get approx > 2*3 CDs on a singleton DVD. The additional > possibility to boot a genuinely downloaded OpenBSD DVD (not a self assembled > one or a live DVD from a third party) will even > be critical towards many use cases concerning security. Sometimes at least if > you can trust the BIOS of the machine you want > to boot from a non-alterable live medium and want to reboot after any possible > security incident (f.i. visiting an untrustworthy > website). Even if you install on hard drive having a singleton DVD for > installation and verification can be an essential advantage > as you wanna verify whether files have been altered on hard disk (and I have > already spotted numerous intrusions this way). > Some people may ask whether keeping it on DVD will just alleviate to verify > integrity but not authenticity. Sure you have to > ascertain the authenticity of your download at least once but then you can > keep the sha256/512sum with you and ascertain > auth. by keeping integrity. Both domains are closely linked together and you > can f.i. add auth to integr. by signing the sha-lists > of the files a package contains (though signing is not a silver bullet as the > secret keys tend to be stolen systematically by > intelligence services). Sometimes you can get a higher degree of auth. by > making several anonymous download attempts > because lost integrity on some downloads or the downloads in a given area > could be easily spotted by the providers of the > download. Nonetheless to improve auth I would suggest to ship your secret key > with a live medium that can be purchased > in newspaper shops like the System Rescue CD > (http://www.sysresccd.org/forums/viewtopic.php?f=6&t=5208); apart from > approaches like DANE/DNSSEC > (http://www.mail-archive.com/[email protected]/msg33596.html) which can > not > provide the ultimate silver bullet either.
The big question: How many of you would pay how much for each unit? It has to be worth the effort, or, the effort will distract from other much more important work. As to the remaining authentication issues you mention about, that is about to be solved with cryptographic signatures. If you eventually find this new work valuable at covering your risk factors in the next coming months, PLEASE make sure we know by contributing to the project.
