On Wed, 2016-05-25 at 17:22 -0600, Theo de Raadt wrote:
> > Well, you could certainly put the key and signify sources on the main
> > website. The CVS thing doesn't seem to be HTTPS-enabled.
>
> You mean like here?
[...]
Oops, I completely missed those. I was looking at the download page and
On Wed, 2016-05-25 at 17:02 -0500, Chris Bennett wrote:
> Get the SHA256.sig from a different server than the install files, after
> all, using just one server could be a problem if it is compromised.
>
> And face the reality of things:
>
> 1. The small bad guys. They can put up compromised
On Wed, 2016-05-25 at 16:18 -0600, Theo de Raadt wrote:
> > It currently seems impossible to verify downloads from a computer
> > without OpenBSD, for a few reasons:
> >
> > 1. No securely-distributed public key
> > 2. Lack of signify packages in e.g. Linux distros, or
> > securely-distributed
Hi,
It currently seems impossible to verify downloads from a computer
without OpenBSD, for a few reasons:
1. No securely-distributed public key
2. Lack of signify packages in e.g. Linux distros, or
securely-distributed sources
To keep things simple, I propose mirrorring SHA256SUM files onto the
4 matches
Mail list logo
