On Thu, Sep 12, 2013 at 10:49:30AM +0200, InterNetX - Robert Garrett wrote: > The real problem here is that in order to be added to certain lists > of trusted PKI providers, you must be audited by security Assessors > one of the things they look for is proof that the software your > using isnt tampered with. > > It appears the OP is trying to solve that issue. EVEN using the CD > is not enough to convince some of these people that the software is > genuine and untampered with. > > pgp signed sha256 keys in a public accessible place should do it. > > Though it would seem to me, that if the sha signature is the same on > all the mirrors through openbsds distribution channels that would be > verification enough. As then you would have to break into a lot of > systems ran by very pedantic, system admins in order to change it on > all of them. > > But let me repeat it isnt the OPS idea of security that is > important, its the idea of the people they are paying a lot of money > to, and the rules implemented by such companies as Microsoft that > are important here.
And the ideas of the people they are paying a lot of money to are one or more of a) wrong. b) arbitrary. c) unknown. As you say --- "... should do it.". And how will we know it does it? Who will the security assessors accept as valid guarantors? Theo? Bob? Austin? The Foundation? Resellers? Anybody running a mirror? Some threshold number of developers? There is no entity that owns or can be held responsible for the code, or is capable of providing a solid evidentuary path from commit to your hands. And the OpenBSD community is not some collective Zelig. .... Ken > > RG > > On 09/11/2013 10:10 PM, Valentin Zagura wrote: > >I was saying that other projects do it in a way they feel comfortable with > >and maybe you will find a way to do it that you are comfortable with. > >Using https was one simple idea. I understand that you don't think that > >this adds any value but maybe there are other ways like signing with PGP, > >maybe using SSH somehow or having Theo de Raadt saying the SHA checksums on > >a video on youtube at each release :) or some other simple and effective > >way that you are comfortable with. > >I just wanted to point out that one can not easely show his security > >assessor that it has the right images using some "industry standard" ways, > >or someone living in a country that has an oppressive government and would > >download the image through tor could have some problems if the exit node is > >malicious. > >If you feel that any kind of verification is futile, it's ok, that would > >not stop us from buying the CDs. > > > > > >On Wed, Sep 11, 2013 at 10:32 PM, Kenneth R Westerback < > >kwesterb...@rogers.com> wrote: > > > >>On Wed, Sep 11, 2013 at 08:53:50PM +0300, Valentin Zagura wrote: > >>>I don't think I'm more paranoid than the average considering that Debian > >>>has a way to do this (http://www.debian.org/CD/verify), fedora has a > >>way to > >>>do this (https://fedoraproject.org/verify), even Freebsd has a way to do > >>>this ( https://www.freebsd.org/releases/9.1R/announce.html). > >> > >>So you're saying that less paranoid projects are doing it, so why doesn't > >>OpenBSD join the crowd and provide some fuzzy feel good but pointless > >>security theatre? :-) > >> > >>> > >>>The thought of being more paranoid than an OpenBSD guy is not very > >>>comfortable :) > >> > >>Don't worry. You're apparently not paranoid enough yet. The true practical > >>paranoid does not waste time on such mummery. > >> > >>.... Ken > >> > >>> > >>> > >>>On Wed, Sep 11, 2013 at 8:13 PM, Daniel Bolgheroni <dan...@bolgh.eng.br > >>>wrote: > >>> > >>>>On Wed, Sep 11, 2013 at 03:17:20PM +0300, Valentin Zagura wrote: > >>>>>Yes, we know, but that file can also be easily compromised if it's > >>not > >>>>>available for download with a secure protocol (HTTPS) > >>>> > >>>>If you're paranoid, build your own hardware from the ground up, > >>>>including designing your own CPU and complementary circuits, download > >>>>all the sources, audit them all, compile and then run. > >>>> > >>>>You can't be fooled by wrong measurements of security. > >>>> > >> > > >
