On Wed, Dec 17, 2008 at 10:46:10AM -0600, Matthew Weigel wrote:
Like Marc said, signing packages when the process doesn't protect the
integrity of the signatures, the source used to compile the binaries
that are signed, and the binaries themselves, you are providing a
misleading sense of
Martin Schrvder wrote:
2008/12/17 Marc Espie es...@nerim.net:
We think it's worse to sign packages than not to sign them if you don't have
a fairly strict process that ensures you have a correct chain of trust.
Agreed. PGP provides that, but I can understand that nobody wants GnuPG
in base.
2008/12/17 Marc Espie es...@nerim.net:
We think it's worse to sign packages than not to sign them if you don't have
a fairly strict process that ensures you have a correct chain of trust.
Agreed. PGP provides that, but I can understand that nobody wants GnuPG
in base. :-{
Best
Martin
Martin Schrvder wrote:
2008/12/17 Marc Espie es...@nerim.net:
We think it's worse to sign packages than not to sign them if you don't have
a fairly strict process that ensures you have a correct chain of trust.
Agreed. PGP provides that, but I can understand that nobody wants GnuPG
in
On Wed, Dec 17, 2008 at 05:21:30PM +0100, Martin Schrvder wrote:
2008/12/17 Marc Espie es...@nerim.net:
We think it's worse to sign packages than not to sign them if you don't have
a fairly strict process that ensures you have a correct chain of trust.
Agreed. PGP provides that, but I can
Jacob Yocom-Piatt j...@fixedpointgroup.com wrote:
the next best option i can think of is to have the hashes (sha256 and/or
others) fetched via ssh from a trusted site, e.g. your nearest anoncvs
server. it avoids the gnupg requirement but is still susceptible to mitm
on key fingerprints,
On Wed, Dec 17, 2008 at 03:19:09PM +1100, spamtester spamtester wrote:
I know that i have the freedom to do this. However, my original question
might have been a bit to bitchy. The issue here is that, openbsd devs donate
their good time making packages. Which is great. However, if they could
OpenBSD already has an SSL cert. Just publish the checksums over HTTPS.
Of course, that implies trust on the SSL PKI, but the moaners will
surely accept that.
--
Jussi Peltola
On Wed, Dec 17, 2008 at 3:56 PM, Jussi Peltola pe...@pelzi.net wrote:
OpenBSD already has an SSL cert. Just publish the checksums over HTTPS.
It's that easy?
On Wed, Dec 17, 2008 at 04:11:43PM -0500, Ted Unangst wrote:
On Wed, Dec 17, 2008 at 3:56 PM, Jussi Peltola pe...@pelzi.net wrote:
OpenBSD already has an SSL cert. Just publish the checksums over HTTPS.
It's that easy?
To silence the people demanding magic security dust? Yes.
To guarantee
Well sorry if I may attend to this talk but what I saw so far is kinda
disappointing.
You all talk aout GnuBLAFOO and PKIs...
OpenBSD uses gzip (not even with -9..) for the packages and for gzip
there's a tool called gzsig wich is already included in the base.
What does the tool do?
gzsig
Yes m5sums are not that great. Sha1 would be nicer i guess.
2008/12/16 Martin Schrvder mar...@oneiros.de
2008/12/15 Marc Espie es...@nerim.net:
Heck, we're further along the curve than most others. If you look closely
at
cough
OpenSUSE has signed packages and signed repos for years. So
On 2008-12-16, Martin Schrvder mar...@oneiros.de wrote:
2008/12/15 Marc Espie es...@nerim.net:
Heck, we're further along the curve than most others. If you look closely at
cough
OpenSUSE has signed packages and signed repos for years. So have many
other Linux distros.
OpenBSD is still
On Tue, Dec 16, 2008 at 10:53:01AM +0100, Martin Schrvder wrote:
2008/12/15 Marc Espie es...@nerim.net:
Heck, we're further along the curve than most others. If you look closely at
cough
OpenSUSE has signed packages and signed repos for years. So have many
other Linux distros.
OpenBSD
2008/12/15 Marc Espie es...@nerim.net:
Heck, we're further along the curve than most others. If you look closely at
cough
OpenSUSE has signed packages and signed repos for years. So have many
other Linux distros.
OpenBSD is still debating md5s of packages in 2008.
Best
Martin
It's generally an issue resources. Your most linux distros are
mostly commercial. Debian is the only non-commercial, but they still
get more funding than openbsd.
Openbsd has always been a developer's distro. If you feel that
strongly about things - fund it or build it yourself, or start a
OpenBSD is still debating md5s of packages in 2008.
Seems like the first step would be to have checksums for all
of the base system. Then do packages, then consider signatures.
Personally I can live without signatures, but a checksum
(or some form of data integrity verification) is needed.
I
On Mon, Dec 15, 2008 at 05:30:32PM +1100, Damien Miller wrote:
On Sun, 14 Dec 2008, spamtester spamtester wrote:
It does not matter what faith one places in the pki or webs of trust
(gpg/pgp style). Most linux distributions have had their packages
signed for years (for example at ruxcon -
Hello I note that pkg_add can work over scp
However, as a user who is told to use packages by the official openbsd
documentation and that ports are for advanced users. I feel some what let
down... at this answer. Obviously i do not have ssh access to a mirror. I
also do not have the
I meant that the fact that i do not know for certain that the packages were
compiled by openbsd dev makes packages interesting. To be clear, my point
re - cost is stupid and wrong. Free is free as in speech not as in beer.
2008/12/14 spamtester spamtester spamtesterspamtes...@gmail.com
Hello I
On Sun, 14 Dec 2008, spamtester spamtester wrote:
It does not matter what faith one places in the pki or webs of trust
(gpg/pgp style). Most linux distributions have had their packages
signed for years (for example at ruxcon - an australian security
conference a large number of participants
21 matches
Mail list logo
