On Wed, May 25, 2016 at 6:02 PM, Chris Bennett
wrote:
> 1. The small bad guys. They can put up compromised install files and sig
> files. They laugh at the damage the did to you. Jajaja.
>
> 2. The worse bad guys. Your actual network from your ISP is compromised
> and you get compromised data. Per
Just purchase a CD set (or purchase a couple, every six months,
sponsor the project) and take the signify keys from there. They're
even printed on the physical CDs themselves.
If your adversary can fake OpenBSD CD sets (in a timely fashion),
there's really not much else you can do.
Really .. jus
> In the past people have posted photos of signify keys from CDs,
> they're on various list posts, release notes, etc. Doing a web
> search for the key that you have should find a number of results.
>
> Once you have *one* verified signify key, as long as you're not
> skipping updates, there is a
On 2016-05-25, Chris Bennett wrote:
> Get the SHA256.sig from a different server than the install files, after
> all, using just one server could be a problem if it is compromised.
You can get the SHA256.sig from the *same* server.
You just need to verify the openbsd-XX-base.pub key before you
p
Thu, 26 May 2016 04:37:04 +0200 arrowscr...@mail.com
> I don't really understand the crypto theory behind it all, but I
> didn't read any elaborated argument besides a big "NO" from openbsd
The topic of the debate is incorrect, mostly the result of ignorance.
signify - cryptographically sign and
>Anything else, that has PGP keys and such. Good luck!
It's curious you say this Theo, since OpenSSH already uses PGP to
sign the releases... no? Web of Trust wouldn't minimize the
probablity of corrupted packages? What makes you think that the
main server (openbsd.org) cannot not be pwned? Ju
On 25 May 2016 at 23:59, Rubén Llorente wrote:
> Many people is just uding the TOFU model with the keys.
>
Because I didn't get it at first and had to google it:
For the archives:
is -> are (grammar)
uding -> using (typo)
TOFU -> Trust On First Use
Eduard - Gabriel Munteanu:
> Well, you could certainly put the key and signify sources on the
> main website.
As Theo said they're at the corresponding pages [s/http/https/g]:
> You mean like here?
>
> http://www.openbsd.org/59.html
>
> and
>
> http://www.openbsd.org/58.html
>
> and
>
> htt
On Wed, 2016-05-25 at 17:22 -0600, Theo de Raadt wrote:
> > Well, you could certainly put the key and signify sources on the main
> > website. The CVS thing doesn't seem to be HTTPS-enabled.
>
> You mean like here?
[...]
Oops, I completely missed those. I was looking at the download page and
inst
> By the same reasoning, you don't really need security fixes and
> countermeasures either. So much for the security-oriented OS.
I am glad we hit the point where you go run something else.
Anything else, that has PGP keys and such. Good luck!
> Well, you could certainly put the key and signify sources on the main
> website. The CVS thing doesn't seem to be HTTPS-enabled.
You mean like here?
http://www.openbsd.org/59.html
and
http://www.openbsd.org/58.html
and
http://www.openbsd.org/57.html
and
http://www.openbsd.org/56.html
EVE
On Wed, 2016-05-25 at 17:02 -0500, Chris Bennett wrote:
> Get the SHA256.sig from a different server than the install files, after
> all, using just one server could be a problem if it is compromised.
>
> And face the reality of things:
>
> 1. The small bad guys. They can put up compromised insta
On Wed, 2016-05-25 at 16:18 -0600, Theo de Raadt wrote:
> > It currently seems impossible to verify downloads from a computer
> > without OpenBSD, for a few reasons:
> >
> > 1. No securely-distributed public key
> > 2. Lack of signify packages in e.g. Linux distros, or
> > securely-distributed sou
Eduard - Gabriel Munteanu wrote:
> Hi,
>
> It currently seems impossible to verify downloads from a computer
> without OpenBSD, for a few reasons:
>
> 1. No securely-distributed public key
> 2. Lack of signify packages in e.g. Linux distros, or
> securely-distributed sources
I have not used the
On Wed, May 25, 2016 at 11:08:44PM +0300, Eduard - Gabriel Munteanu wrote:
> Hi,
>
> It currently seems impossible to verify downloads from a computer
> without OpenBSD, for a few reasons:
>
> 1. No securely-distributed public key
> 2. Lack of signify packages in e.g. Linux distros, or
> securely
> It currently seems impossible to verify downloads from a computer
> without OpenBSD, for a few reasons:
>
> 1. No securely-distributed public key
> 2. Lack of signify packages in e.g. Linux distros, or
> securely-distributed sources
>
> To keep things simple, I propose mirrorring SHA256SUM file
Hi,
It currently seems impossible to verify downloads from a computer
without OpenBSD, for a few reasons:
1. No securely-distributed public key
2. Lack of signify packages in e.g. Linux distros, or
securely-distributed sources
To keep things simple, I propose mirrorring SHA256SUM files onto the
17 matches
Mail list logo