> > Is there any way to verify that distribution sets and packages that I > > have downloaded have not been tampered with (e.g., by someone with > > access to the mirror from which I downloaded them)? > > Download the checksums from another mirror using a different connection. > > The project doesn't have a certificate infrastructure, nor plans to > deploy one.
Would make things easier for users but harder and more work for devs. It's important to understand that OpenBSD is dev orientated. It does have a solid build infrastructure though which is where the weakness in signatures would be. -- _______________________________________________________________________ 'Write programs that do one thing and do it well. Write programs to work together. Write programs to handle text streams, because that is a universal interface' (Doug McIlroy) _______________________________________________________________________