On Thu, Sep 6, 2012 at 4:05 AM, Rowdy OpenBSD <[email protected]> wrote:
> But that's inconsistent with OpenBSD's proactive approach to security. > The OpenBSD project has put more effort into less significant > security features than this. This is not inconsistent. It's clearly stated in faq15[1]: "The packages and ports collection does NOT go through the same thorough security audit that is performed on the OpenBSD base system. Although we strive to keep the quality of the packages collection high, we just do not have enough human resources to ensure the same level of robustness and security." Package signing can be implemented on your end with all the security checks that would be implemented by the OpenBSD developers [2]. [1]http://www.openbsd.org/faq/faq15.html#Intro [2]http://www.openbsd.org/faq/faq15.html#PkgSig
