subject:"digitally signed distribution \(was\: OBSD's perspective on SELinux\)"

Re: digitally signed distribution (was: OBSD's perspective on SELinux)

2007-09-24 Thread Darren Spruell

> > > Sure it does, just pull from CVS over SSH and compile your own. Only
> >
> > Where do I get the ssh fingerprints of the CVS servers?

http://www.openbsd.org/anoncvs.html#CVSROOT, of course.

Not all are listed, but one can either use one that needs verified or
contact the maintainer for a correct fingerprint.

DS

Re: digitally signed distribution (was: OBSD's perspective on SELinux)

2007-09-24 Thread Lars Hansson

On 9/24/07, Martin Schrvder <[EMAIL PROTECTED]> wrote:
> 2007/9/24, Joachim Schipper <[EMAIL PROTECTED]>:
> > Sure it does, just pull from CVS over SSH and compile your own. Only
>
> Where do I get the ssh fingerprints of the CVS servers?

Where do you get the public keys for the digitally signed distributions?

---
Lars Hansson

Re: digitally signed distribution (was: OBSD's perspective on SELinux)

2007-09-24 Thread Antti Harri

On Mon, 24 Sep 2007, Martin Schrvder wrote:

> But can we agree that packages are not digitally signed, patches are
> not digitally signed and the methods used to distribute sources online
> also don't use digital signatures? And that md5/sha1 and pgp are older
> than OBSD?

I just wanted to add that MD5 sums are being integrated.
IIRC they just weren't functioning totally fullproof (with the x* sets),
and the listing seems to confirm this.

lftp ftp.openbsd.org:/pub/OpenBSD/snapshots/i386> cat MD5
MD5 (INSTALL.i386) = a215ca115157db97f1bcebee2cc0940c
MD5 (INSTALL.linux) = 34ab7e52e8b1ed96682349a2f0addcce
MD5 (base42.tgz) = d3d5c580e38d8a7621ad67e8e2b38f6a
MD5 (bsd) = 9cc36c08f6e3575107ace6c9eadd1a1a
MD5 (bsd.mp) = 410c815dd7b929c9a71c830d2dd0b12f
MD5 (bsd.rd) = 15398b92a616885c5af42bdf26a4568f
MD5 (cd42.iso) = 005f1cb47bbf5f482ac8250a2cc853a0
MD5 (cdboot) = cfa4e53323285805313c7efcce7a3331
MD5 (cdbr) = ec1630b9b53d47bdfe0037fa9324a9e6
MD5 (cdemu42.iso) = bbb30515ef07a75a168709ec497c7892
MD5 (comp42.tgz) = ab11daa30094e393f97914013d2aa21f
MD5 (etc42.tgz) = 76c91a12150f726c20de1c3b20240c0b
MD5 (floppy42.fs) = 96514601275e06f08e3b672d2ebdf60f
MD5 (floppyB42.fs) = fe5f2eb1b3fdbfb54103010b93f0
MD5 (floppyC42.fs) = b3aa430e003772a9fc0cdcf5921cc842
MD5 (game42.tgz) = c30b70aa932e6538a90bc3dad0689847
MD5 (install42.iso) = 60a02a003cd15bf556e3c5d15de1e8e1
MD5 (man42.tgz) = 9bb112644a8e5da552aed13111a0f5d0
MD5 (misc42.tgz) = fe299ac3e268bc13d7bb041c0618a422
MD5 (pxeboot) = e34f00355fb312b97b6b8fa7d9ad684f


--
Antti Harri

Re: digitally signed distribution (was: OBSD's perspective on SELinux)

2007-09-24 Thread Martin Schröder

2007/9/24, Gilles Chehade <[EMAIL PROTECTED]>:
> You can fingerprint the tarballs and compare against the ones on the CD
> you bought to support the project ? :-)

I can.

But can we agree that packages are not digitally signed, patches are
not digitally signed and the methods used to distribute sources online
also don't use digital signatures? And that md5/sha1 and pgp are older
than OBSD?

And to further the flamefest: This is one area where most Linux
distros are better.

Best
   Martin

Re: digitally signed distribution (was: OBSD's perspective on SELinux)

2007-09-24 Thread Martin Schröder

2007/9/24, Wade, Daniel <[EMAIL PROTECTED]>:
> > Where do I get the ssh fingerprints of the CVS servers?
> >
> > And if I use cvsync, where do I get fingerprints?
>
> http://www.openbsd.org/anoncvs.html#CVSROOT

Thanks. It's not complete (i.e. not all servers have fingerprints),
but a start.

This doesn't help with cvsync, though. ;-}

Best
   Martin

Re: digitally signed distribution (was: OBSD's perspective on SELinux)

2007-09-24 Thread Gilles Chehade

On Mon, Sep 24, 2007 at 05:18:05PM +0200, Martin Schr?der wrote:
> 2007/9/24, Joachim Schipper <[EMAIL PROTECTED]>:
> > Sure it does, just pull from CVS over SSH and compile your own. Only
> 
> Where do I get the ssh fingerprints of the CVS servers?
> 
> And if I use cvsync, where do I get fingerprints?
> 

You can fingerprint the tarballs and compare against the ones on the CD
you bought to support the project ? :-)

Gilles

Re: digitally signed distribution (was: OBSD's perspective on SELinux)

2007-09-24 Thread Wade, Daniel

> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
> On Behalf Of Martin Schrvder
> Sent: Monday, September 24, 2007 11:18 AM
> To: misc@openbsd.org
> Subject: Re: digitally signed distribution (was: OBSD's
> perspective on SELinux)
>
> 2007/9/24, Joachim Schipper <[EMAIL PROTECTED]>:
> > Sure it does, just pull from CVS over SSH and compile your own. Only
>
> Where do I get the ssh fingerprints of the CVS servers?
>
> And if I use cvsync, where do I get fingerprints?


http://www.openbsd.org/anoncvs.html#CVSROOT

Re: digitally signed distribution (was: OBSD's perspective on SELinux)

2007-09-24 Thread Martin Schröder

2007/9/24, Joachim Schipper <[EMAIL PROTECTED]>:
> Sure it does, just pull from CVS over SSH and compile your own. Only

Where do I get the ssh fingerprints of the CVS servers?

And if I use cvsync, where do I get fingerprints?

Best
   Martin

Re: digitally signed distribution (was: OBSD's perspective on SELinux)

2007-09-23 Thread Rui Miguel Silva Seabra

On Mon, Sep 24, 2007 at 12:35:54AM +0200, Joachim Schipper wrote:
> On Sun, Sep 23, 2007 at 10:54:06PM +0100, Rui Miguel Silva Seabra wrote:
> > Remember: OpenBSD still doesn't have a digitally signed code distribution,
> > and in some places that means it can't enter! Stupid, I know, but not too
> > stupid for the "blame game" rules, which sort of ignore the "secure by
> > design" initiatives.
> 
> Sure it does, just pull from CVS over SSH and compile your own. Only
> requires trusting one download, ever, and that can be verified by
> downloading from n servers from m distinct network locations, and
> verifying that the checksums match.
> 
> I do get what you are hinting at, but it's not an insurmountable issue.

It depends on the rules. If they say it must be digitally signed... one may
be SOL :|

-- 
Wibble.
Today is Sweetmorn, the 47th day of Bureaucracy in the YOLD 3173
+ No matter how much you do, you never do enough -- unknown
+ Whatever you do will be insignificant,
| but it is very important that you do it -- Gandhi
+ So let's do it...?

Re: digitally signed distribution (was: OBSD's perspective on SELinux)

2007-09-23 Thread Joachim Schipper

On Sun, Sep 23, 2007 at 10:54:06PM +0100, Rui Miguel Silva Seabra wrote:
> Remember: OpenBSD still doesn't have a digitally signed code distribution,
> and in some places that means it can't enter! Stupid, I know, but not too
> stupid for the "blame game" rules, which sort of ignore the "secure by
> design" initiatives.

Sure it does, just pull from CVS over SSH and compile your own. Only
requires trusting one download, ever, and that can be verified by
downloading from n servers from m distinct network locations, and
verifying that the checksums match.

I do get what you are hinting at, but it's not an insurmountable issue.

Joachim

-- 
TFMotD: pflogd (8) - packet filter logging daemon

Re: digitally signed distribution (was: OBSD's perspective on SELinux)

Re: digitally signed distribution (was: OBSD's perspective on SELinux)

Re: digitally signed distribution (was: OBSD's perspective on SELinux)

Re: digitally signed distribution (was: OBSD's perspective on SELinux)

Re: digitally signed distribution (was: OBSD's perspective on SELinux)

Re: digitally signed distribution (was: OBSD's perspective on SELinux)

Re: digitally signed distribution (was: OBSD's perspective on SELinux)

Re: digitally signed distribution (was: OBSD's perspective on SELinux)

Re: digitally signed distribution (was: OBSD's perspective on SELinux)

Re: digitally signed distribution (was: OBSD's perspective on SELinux)

10 matches

Site Navigation

Mail list logo

Footer information