Forgot your password?
typodupeerror
Encryption Operating Systems BSD

OpenBSD Moving Towards Signed Packages — Based On D. J. Bernstein Crypto 232

Posted by Soulskill
from the those-signatures-will-be-worth-a-lot-of-money-some-day dept.
ConstantineM writes "It's official: 'we are moving towards signed packages,' says Theo de Raadt on the misc@ mailing list. This is shortly after a new utility, signify, was committed into the base tree. The reason a new utility had to be written in the first place is that gnupg is too big to fit on the floppy discs, which are still a supported installation medium for OpenBSD. Signatures are based on the Ed25519 public-key signature system from D. J. Bernstein and co., and his public domain code once again appears in the base tree of OpenBSD, only a few weeks after some other DJB inventions made it into the nearby OpenSSH as well."
This discussion has been archived. No new comments can be posted.

OpenBSD Moving Towards Signed Packages — Based On D. J. Bernstein Crypto

Comments Filter:
  • by Anonymous Coward on Sunday January 19, 2014 @12:16AM (#46002919)

    OpenBSD is security by arrogance: nobody cares much to pay any attention to it, and anyone who comes with good intentions gets shouted down.

    Distributing unsigned packages in 2014 shows such a lack of concern for even the most basic risks facing administrators and end users that I can only assume it was intentional.

  • Floppy disks? (Score:3, Interesting)

    by thue (121682) on Sunday January 19, 2014 @12:27AM (#46002977) Homepage

    Being limited by floppy disk support requirement sounds like a bad joke. Is that really relevant for any computer which is not hopelessly antiquated in 2014? For reference, Apple stopped shipping floppy disk drives by default in 1998.

  • Overly paranoid (Score:5, Interesting)

    by johnwbyrd (251699) on Sunday January 19, 2014 @12:47AM (#46003117) Homepage

    I started using OpenBSD in 1998. It was a viable, timely competitor to Linux at the time, especially for building firewalls as such.

    OpenBSD is a great example of what happens when you make life too difficult for end users and administrators in the name of Security. OpenBSD has never embraced the most recent release of anything -- if it's new, by definition it's insecure and it can't be trusted. Ergo, if you have to demonstrate the latest technology in whatever you're doing, you start with a Linux distribution.

    From the article: "We wanted a tool that would fit on installation media, which meant minimizing code size and external dependencies." That's the breakage mode, in a nutshell. NO ONE in the world has been clamoring for an OpenBSD signing tool that runs on a floppy. But the designers are imagining the user requirements based on their own biases. This way lies the death of any commercial or open source software product.

  • by hairyfeet (841228) <bassbeast1968&gmail,com> on Sunday January 19, 2014 @03:13AM (#46003591) Journal

    Well considering the fact that OpenBSD is in danger of shutting down due to lack of funding [osnews.com] I really don't think starting this NOW is the greatest of ideas. Click on the comments to the article I linked to and they have a letter from de Raadt berating some for daring! to suggest that they might not ought to support a shitload of ancient formats like VAX if they are losing THAT much cash so I'd be amazed if they are here next year.

    I'm sure I'll get hate from the *BSD fans but truth is truth and when you are bleeding cash like that you can NOT just give everyone a bad attitude and a "we deserve this", not when you are counting on those same people to support you. Either de Raadt stops running that huge mound of servers or they bleed to death, simple as that. And from the looks of that letter he'd be perfectly happy with it being the latter if it means giving an inch otherwise. Sorry guys but I've dealt with "never give an inch" types in business and in my exp they usually end up bankrupt. The wise owner rolls with the punches and accepts there is gonna be downturns, the arrogant owner says "I deserve it all" and runs the company into the ground.

Our business in life is not to succeed but to continue to fail in high spirits. -- Robert Louis Stevenson

Working...