I already said there are no plans to start signing things. What more
is there to discuss?
Two things:
1) Why not? I'd like to know the reasons. I've read the FAQ, I've
checked the archives, and I've read all of the messages in this
thread. The best answer seems to be because we can't be
To the OP. When checking I choose a source mirror or two and download
just the SHA256. There is no sha256 for src.tgz and sys.tgz but you can
use ssh for the source code by getting the fingerprint once like for
signatures but tied to servers and not devs.
Thanks for trying to help, Kevin, but
There are significant weaknesses in any process, the majority of which
occur between the build infrastructure and source providers which
OpenBSD does a very nice job of.
I'm not sure why you think that's where the majority of problems
occur, but in any case, my point is that using signatures
I could have answered lots of points that were weak or erroneous in
this thread but that would just be feeding trolls.
You must be using the term troll differently to how the rest of the
world uses it. I have legitimate concerns that I have explained in
detail that no one has yet responded to
Is there any way to verify that distribution sets and packages that I
have downloaded have not been tampered with (e.g., by someone with
access to the mirror from which I downloaded them)?
The package system supports signatures, but the packages distributed
on OpenBSD mirrors are unsigned, as is
Is there any way to verify that distribution sets and packages that I
have downloaded have not been tampered with (e.g., by someone with
access to the mirror from which I downloaded them)?
The package system supports signatures, but the packages distributed
on OpenBSD mirrors are unsigned, as is
6 matches
Mail list logo
