On Wed, May 25, 2016 at 11:08:44PM +0300, Eduard - Gabriel Munteanu wrote: > Hi, > > It currently seems impossible to verify downloads from a computer > without OpenBSD, for a few reasons: > > 1. No securely-distributed public key > 2. Lack of signify packages in e.g. Linux distros, or > securely-distributed sources > > To keep things simple, I propose mirrorring SHA256SUM files onto the > main website and making them available over HTTPS. This allows new > users to easily verify images. >
Get the SHA256.sig from a different server than the install files, after all, using just one server could be a problem if it is compromised. And face the reality of things: 1. The small bad guys. They can put up compromised install files and sig files. They laugh at the damage the did to you. Jajaja. 2. The worse bad guys. Your actual network from your ISP is compromised and you get compromised data. Period. 3. The worst bad guys. The ones you have no protection against under any circumstances. These are the people who have physical access to your computer. The manufacturers. They can install compromised chips to the motherboard, etc. You just have to accept that you can't have perfect security. Just beat the first step and live with the other threats. # 2 and 3 have already been compromised. Just don't put any of your really evil secrets on your computer. Pencil and paper? Don't worry and be happy! Chris Bennett
