Hi. I'm seeing, in this mailing list, much talk about the datagate and related matters, and I can see why the topic may be of interest to many OpenBSD users.
Anyway, I really like OpenBSD, but I always restrain myself from using it on a desktop machine for a single reason: while pkg_add supports signed packages, those provided by the OpenBSD project aren't. You can easily find other similar complaints on the internet... but I really fail to understand why the project isn't providing signed packages, when there is already support for it. Why do signed packages matter? Well, I can fetch the ports tree in a secure way, verify its integrity and origin, and then ports definitions contain source packages hashes. I like the idea and the flexibility, but on desktop computers, it may be undesirable to compile software, especially big suites like X, Gnome, Firefox, LibreOffice. This gets even worse when the "desktop" is a laptop computer, like in my case. I won't use unsigned packages, because there's a concrete risk of corruption, I don't know if I should trust the mirror, and even with the official OpenBSD mirrors... it's easy, really easy, for someone to run an http/ftp MITM on me and give me a backdoored, or trojaned, binary package. Not only on a free WiFi, on a hotel, abroad, but even using a "secure" connection, it's easy for the isp, or the government, to just give me a "bad" bash package, and gain root in a clap of hands. Then, the datagate revealed how it's easy to modify stream "in between": if there are people capable of intercepting someone request to linkedin on a rogue router in the path, and immediately give back a page that contains a browser exploit, before the real site can produce a response, how it's easy to intercept, say, a pkg_add update to an openbsd mirror and give back a backdoored package? I'm not talking only about the five eyes, any government, even private entities, are capable of this. That's the reason why almost all gnu/linux distributions sign packages. Even other *BSD distributions are starting to adopt signed binary packages: pkg(ng), on freebsd, checks that the repository signature is made with the right key. It calculates the public key's hash, and confronts it with the hash present in /usr/share/keys/pkg/trusted/. The repository definition contains a list of packages' hashes, which is the signed part. Every package provides a signature of all files provided. TL;DR: pkgng is totally signed. and pkg_add, as I already stated, while it doesn't have the concept of a "repository", still supports individually signed packages. What is holding the OpenBSD project from implementing signed binary packages, and, is it planned?
