I was saying that other projects do it in a way they feel comfortable with and maybe you will find a way to do it that you are comfortable with. Using https was one simple idea. I understand that you don't think that this adds any value but maybe there are other ways like signing with PGP, maybe using SSH somehow or having Theo de Raadt saying the SHA checksums on a video on youtube at each release :) or some other simple and effective way that you are comfortable with. I just wanted to point out that one can not easely show his security assessor that it has the right images using some "industry standard" ways, or someone living in a country that has an oppressive government and would download the image through tor could have some problems if the exit node is malicious. If you feel that any kind of verification is futile, it's ok, that would not stop us from buying the CDs.
On Wed, Sep 11, 2013 at 10:32 PM, Kenneth R Westerback < kwesterb...@rogers.com> wrote: > On Wed, Sep 11, 2013 at 08:53:50PM +0300, Valentin Zagura wrote: > > I don't think I'm more paranoid than the average considering that Debian > > has a way to do this (http://www.debian.org/CD/verify), fedora has a > way to > > do this (https://fedoraproject.org/verify), even Freebsd has a way to do > > this ( https://www.freebsd.org/releases/9.1R/announce.html). > > So you're saying that less paranoid projects are doing it, so why doesn't > OpenBSD join the crowd and provide some fuzzy feel good but pointless > security theatre? :-) > > > > > The thought of being more paranoid than an OpenBSD guy is not very > > comfortable :) > > Don't worry. You're apparently not paranoid enough yet. The true practical > paranoid does not waste time on such mummery. > > .... Ken > > > > > > > On Wed, Sep 11, 2013 at 8:13 PM, Daniel Bolgheroni <dan...@bolgh.eng.br > >wrote: > > > > > On Wed, Sep 11, 2013 at 03:17:20PM +0300, Valentin Zagura wrote: > > > > Yes, we know, but that file can also be easily compromised if it's > not > > > > available for download with a secure protocol (HTTPS) > > > > > > If you're paranoid, build your own hardware from the ground up, > > > including designing your own CPU and complementary circuits, download > > > all the sources, audit them all, compile and then run. > > > > > > You can't be fooled by wrong measurements of security. > > > >
