On Thu, Jan 15, 2015 at 3:27 PM, Enos D'Andrea <[email protected]> wrote: > On 14/01/2015 17:03, [email protected] wrote: >> [...] you trust Theo and OpenBSD because you have no better option. >> Don't pretend you increase your security by proving the software came >> from a source you can't prove is trustworthy. [...] > > More than Theo himself, what makes me trust OpenBSD is its stable, > clean, open and essential code reviewed by a very skilled community. > That's why I go the extra mile(s) to ensure running *that* code. > > > <off-topic> > >> Security is about pushing attacks out of your attackers' ability or >> price range. [...] Are you willing to go to the effort that defending >> against your outlined attack requires? > > Being my current line of work, yes. Not that I or my clients have > anything malicious to hide, but some government agencies and vendors > seem to have lost touch with reality and/or ethics. > > The discussion went off topic. I was just after signed CD checksums, to > raise the security of my physical delivery on par with that of the > source code.
I think the attitude of the team here is that they want us to take the responsibility of (re-)bootstrapping our trust chains ourselves. > Never mind: I will make do with downloading an ISO, while > the kid within me enjoys the boxed CD set (which, save missing CD > checksums for paranoid security people, is very nice indeed). Actually, since you have the packages etc. on the CDs, you can save yourself quite a bit of bandwidth, just downloading the net-install ISO and checking the checksum the mirror advertises. (And comparing the checksums found on five other randomly selected mirrors.) Big-name Linux projects, the packages in your DVD are old by the time you get them. Not so with openbsd. Once you have the base system installed, signify checks things for you. (Under the control of various scripts.) > </off-topic> > > > Many thanks to Theo and the others for your advice and opinions. > > Regards > > -- > Enos D'Andrea > -- Joel Rees Be careful when you look at conspiracy. Look first in your own heart, and ask yourself if you are not your own worst enemy. Arm yourself with knowledge of yourself, as well.
