Em 26-03-2014 17:18, Theo de Raadt escreveu: >> >> Theo, >> >> I agree with you that the installer must be as small as possible, >> and still offer a good mix of ways to install the software. With >> signify, the security of the underlying security of the protocol being >> used in the installation, becomes irrelevant, as long as you trust the >> initial key and as long as you are not trying to obfuscate which >> platform/sets/packages you are installing. >> >> Personally I don't do network installs, only as last resort. I >> prefer using a usb stick. Our OP apparently does not has physical access >> to the machines so it has to rely on network installs/upgrades, >> whatever. If he can dedicate a machine for making it's own mirror, it's >> the best alternative. >> >> It would be nice to have openssl in the installer, but it surely >> isn't much of a problem nowadays. > That's entirely true, but signify only works for the signed base sets. > > site*.tgz is now a pretty serious outlier. I feel we might have to do > a rather large departure from the current model to make that file safe > again. I know it is fetched locally, but there is this really twisted > dependency on all three files SHA256.sig, SHA256, and index.txt. > > Regarding safey of site*.gz, placing openssl there is not part of any > solution that would work. What are other possible solutions? I do > not yet know. > > One development path may be to remove site*tgz from the main install > sequence, and try to handle it in a more special way after base set > installs. Even if we have to add an additional question for a while. > Then maybe we can develop a better sequence that satisfies the same > need. > > The install scripts are dynamic, something changes in them every > release, so this is a natural process. As I mentioned, openssl would only make possible to obfuscate the platform, sets and packages being installed. There a lot of side channels attacks that make possible to tell exactly what you are installing, even if the connection is encrypted. For this reason, I think signify is a much more important change than putting openssl in the installer.
The siteXX.tgz should be handled in a different way. Perhaps the way you proposed, of at some point someone can have a different solution. I thought for a while and nothing came up, besides what you already proposed. Cheers, -- Giancarlo Razzolini GPG: 4096R/77B981BC