> I already said there are no plans to start signing things. What more > is there to discuss?
Two things: 1) Why not? I'd like to know the reasons. I've read the FAQ, I've checked the archives, and I've read all of the messages in this thread. The best answer seems to be "because we can't be bothered". But that's inconsistent with OpenBSD's proactive approach to security. The OpenBSD project has put more effort into less significant security features than this. 2) Given that there are no plans to start signing things, what's the best way to update an OpenBSD system (including packages)? The modal answer is "buy the CDs", but that only works for releases. The best answer seems to be "use anoncvs over ssh and compile everything yourself", but that requires X and is time-consuming, and you need to somehow verify the server's fingerprint. The upgrade guide at http://www.openbsd.org/faq/upgrade51.html specifically recommends setting PKG_PATH and running "pkg_add -ui". This is vulnerable to both compromised mirrors and man-in-the-middle attacks. Section 4.1 of the installation guide at http://www.openbsd.org/faq/faq4.html specifically says that you can download the install ISO or use an FTP or HTTP mirror. This is vulnerable to both compromised mirrors and man-in-the-middle attacks. There is a discrepancy between what the official documentation recommends and what people on this list recommend. Moreover, the official documentation says nothing of the risks its recommendations entail, and thus creates a "false sense of security".
