On Mon, Apr 7, 2008 at 3:08 PM, Nikns Siankin <[EMAIL PROTECTED]> wrote: > >> I did not find a file on the OpenBSD mirrors which contains a digital > >> signature for the 'MD5' files which are placed in the platformspecific > >> directories (e.g.: ftp://ftp.openbsd.org/pub/OpenBSD/4.2/i386/). > >> > >> Is there no way to verify the authenticity of the installation files? > > > > >No, there is no way. > > You see how openbsd cares about secure distribution ;] > > Even if you trust your postman, using already outdated stuff > will not help you stay secure ;] > >
Here's the thing... even if the developers are going to go to the trouble of setting up a PKI infrastructure for code signing, are you going to check two forms of government issued ID for each of the developers? Code signing gives no benefit without a trust network. -- Michael Richardson <[EMAIL PROTECTED]>