On Wednesday, 05.12.2007 at 17:59 +0000, Kevin Stam wrote: > For one thing, I think you're quite confused. Unless I'm missing > something, I'm not noticing the FreeBSD, NetBSD, Linux kernel > developers "signing" their code, or doing anything particularly > differently from the OpenBSD developers. Please explain.
I'm guessing that he's referring to the fact that some Linux *distributions* (not the kernel developers or necessarily any of the components) sign their binary packages: for example Debian do this. I believe one of the supposed benefits of this is that it allows anyone to set up a public Debian mirror and, after checking the signatures during download, one can be sure that they are 'real' Debian packages. I believe that in some circumstances this may lead to a false sense of security: - Said mirror could have old (vulnerable) versions of packages. Just because they're signed doesn't mean they're safe; - The signing relates only to the packaging: if the underlying source code is compromised, then all bets are off. Would signing help for OpenBSD? I don't particular see that it would, given that you are trading off the hassle of implementing it, maintaining it and so on, against the benefits of doing so, which are probably small or non-existent. Dave. -- Dave Ewart [EMAIL PROTECTED], jabber:[EMAIL PROTECTED], freenode:davee All email from me is now digitally signed, http://www.sungate.co.uk/ Fingerprint: AEC5 9360 0A35 7F66 66E9 82E4 9E10 6769 CD28 DA92 [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
