>> > Come on... twice a year and get the benefit of not being excluded from >> > company policies which require digital signature of software downloaded >> > through the internet. >> >> It's not really OpenBSD's problem that some companies implement pointless >> "security" policies. > >I'm not discussing wether its pointless or not, maybe you don't want >OpenBSD to be used at all?
You make it sound like OpenBSD is a vendor that is actively marketing to these companies and that cannot make a sale because it is not meeting a specific set of criteria in your requirements docs. Tell you what. I am sure there are a number of individuals on the list who own or work at companies that would be more than happy to provide your employer with a custom-built set of installation binaries and packages, signed for your digital pleasure. I expect bi-annual costs, including overhead like lawyers, errors and omissions insurance, etc, to run mid-5-figures per release. Minimum 5 release contract. Expect much re-writing of contract clauses. If there is indeed that much value derived in your organization from the use of OpenBSD, then this will be a paltry sum to pay. I am fairly confident that Oracle and Sun and SAP likely aren't PKI'ing their updates from their websites. Oh wait. Are those excluded from the company policy because you have a contract in place? I went through a similar policy a few years ago while doing Sarbanes-Oxley consulting. The lawyers and auditors were screaming for validation of free software, like Perl. After many months of having tantrums, they, along with management, finally realized that going down this path would be tantamount to try to chip away all the morter keeping a brick building together. The effects on the integrity of the structure (corporate, in this case) would be too great to keep pursuing this line of thought. That policy was abandoned because it was costing more to implement than the perceived risks they believed they could mitigate. (i.e. - they had to think in practical terms) Shortly afterward, I went back to steel-toed-boots engineering, where risks models really matter because you're trying to ensure that people don't get killed, that the environment doesn't get polluted, that you don't destroy assets and that you don't impact production. Digital signatures are pretty irrelevant when you need to be concerned about an explosion that could potentially wipe out a few hundred million in infrastructure in the space of a few city blocks. Or when an H2S leak can kill you and your crew in the matter of a few breaths. If it's that important, shut up and hack. Or otherwise just shut up.
