Yes, that's what I gathered was meant. Going into PKI and code signing, however, I assumed he meant signing and verifying the underlying source code, and navigating the trees, I haven't noticed that.
Evidently he meant signing binary packages. In that case, I can kind of understand the requirement - particularly for business - but whether it's worth it is up to the OpenBSD team, not me. :) I'm having trouble seeing how somebody could easily manage to get a compromised binary onto OpenBSD servers. Seems more trouble to implement then it's worth. On Dec 5, 2007 7:13 PM, Dave Ewart <[EMAIL PROTECTED]> wrote: > On Wednesday, 05.12.2007 at 17:59 +0000, Kevin Stam wrote: > > > For one thing, I think you're quite confused. Unless I'm missing > > something, I'm not noticing the FreeBSD, NetBSD, Linux kernel > > developers "signing" their code, or doing anything particularly > > differently from the OpenBSD developers. Please explain. > > I'm guessing that he's referring to the fact that some Linux > *distributions* (not the kernel developers or necessarily any of the > components) sign their binary packages: for example Debian do this. > > I believe one of the supposed benefits of this is that it allows anyone > to set up a public Debian mirror and, after checking the signatures > during download, one can be sure that they are 'real' Debian packages. > > I believe that in some circumstances this may lead to a false sense of > security: > > - Said mirror could have old (vulnerable) versions of packages. Just > because they're signed doesn't mean they're safe; > > - The signing relates only to the packaging: if the underlying source > code is compromised, then all bets are off. > > Would signing help for OpenBSD? I don't particular see that it would, > given that you are trading off the hassle of implementing it, > maintaining it and so on, against the benefits of doing so, which are > probably small or non-existent. > > Dave. > > -- > Dave Ewart [EMAIL PROTECTED], jabber:[EMAIL PROTECTED], freenode:davee > All email from me is now digitally signed, http://www.sungate.co.uk/ > Fingerprint: AEC5 9360 0A35 7F66 66E9 82E4 9E10 6769 CD28 DA92 > > [demime 1.01d removed an attachment of type application/pgp-signature > which had a name of signature.asc]
