On Thu, Aug 01, 2002 at 02:17:36PM +0200, Christian Bahls wrote: > 1.) i do not often check signatures an packets i install
Particularly difficult when there _are no_ signatures available for the package you want to install (in this case, the non-"portable" tarballs). AFAIK there have never been signatures available for the OpenBSD tarballs. At least none that I've seen on the FTP server. I hope this will change soon...? I have also been curious as to how exactly DJM and the portability group have been verifying that _they_ obtained clean tarballs before applying their modifications. If they also have no way to verify tarballs, that effectively blinds a very important set of eyes from being able to spot trojans. (Of course, if they are just doing CVS checkouts from a secure CVS server, this issue would be moot. But the fact that the portable versions were also trojaned, combined with the appearance that the trojaning occurred _on the FTP server and not on any development machines_, I think allows one to reasonably assume that the tarballs are being used. This last point may not be the case, we will have to wait for more information to come out.)
