On Wed, Sep 11, 2013 at 01:49:14PM +0300, Valentin Zagura wrote: > We are going to use a OpenBSD system in a PCI-DSS compliant environment. > Is there any way we can prove to our PCI-DSS assessor that the OpenBSD > image we use for our installation can be checked so that it is the correct > one (is not modified in a malicious way by a third party) ?
Probably not what you want to hear, but starting with http://www.openbsd.org/orders.html is usually an excellent idea in this context. Verifiably delivered from a trusted source. > A https link to some kind of ISO checksum or something similar (but using > strong cryptography) I think would do it, but I could not find any (except > a line in the FAQ stating "If the men in black suits are out to get you, > they're going to get you." which is not the case :) ) It's possible some of the more prominent entries on http://www.openbsd.org/support.html could be persuaded to provide something like that (M:Tier comes to mind, but why are they not on that page?) in exchange for a reasonable fee. But again, for -RELEASE, the CD sets are a good starting point. - Peter -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
