That's irrelevant (the impersonating bit). What you have to understand is this - this is not a commercial venture, nor is openbsd looking to grow marketshare or ease of use or anything. This is a project by developers for themselves.
Yes, they do sell CDs and so on to help support the project, and yes they have users that they support. But the moment the users become annoying and passes a certain threshold (which are different for different developers) those users become lusers (not saying you are one, btw). So, look at their objectives - does using pki solve anything for them? No, not really. Signing source code that goes into the tree - does it help? No, if an intruder got in, they would have gotten the key anyway. Signing binaries? What's on the primary server is considered authoritative. Or you can compile your own. Binary updates? Don't do it. Mirrors - they currently use MD5 which is cheap and fast and good enough. So, to put in a complicated pki and so on would add overhead that is really useless to the developers. It may benefit some users. But does the benefit outweigh the cost? Not currently, according to the developers. Now, if you're willing to fund it, and do the work, and manages to gain Theo's trust, then you get to do it. But else, I don't really see the devs taking on this additional work for fun. And ultimately that's what they're doing - having fun. Now, it could be that tomorrow one of the devs catches the pki bug - then suddenly, all these can and will happen. But I doubt it. On 12/5/07, new_guy <[EMAIL PROTECTED]> wrote: > Bob Beck-2 wrote: > > > > If you want a secure binary. buy an official CD.. This is > > what most people do. PKI requires infrastructure that would cost OpenBSD > > money and developer time. Official CD's keep OpenBSD alive. > > > > Oh wait, we should devote resources to people who care about > > security, just not enough to spend $50 on it.. Yeah. I'll get right > > on that. > > > > -Bob > > > > One last thought. You insinuate in this post that I do not buy CDs or > support OpenBSD. I claim that I do. There is a person listed by my name on > the donations page... but since I was not given the opportunity to digitally > sign my donation ;) I could just be impersonating that person. How is that > for irony? I'll go away now. > > Thanks, > Brad > > -- > View this message in context: > http://www.nabble.com/Code-signing-in-OpenBSD-tf4947207.html#a14180803 > Sent from the openbsd user - misc mailing list archive at Nabble.com. > > -- http://www.glumbert.com/media/shift http://www.youtube.com/watch?v=tGvHNNOLnCk "This officer's men seem to follow him merely out of idle curiosity." -- Sandhurst officer cadet evaluation. "Securing an environment of Windows platforms from abuse - external or internal - is akin to trying to install sprinklers in a fireworks factory where smoking on the job is permitted." -- Gene Spafford
