OpenBSD Moving Towards Signed Packages — Based On D. J. Bernstein Crypto

ConstantineM writes "It's official: 'we are moving towards signed packages,' says Theo de Raadt on the misc@ mailing list. This is shortly after a new utility, signify, was committed into the base tree. The reason a new utility had to be written in the first place is that gnupg is too big to fit on the floppy discs, which are still a supported installation medium for OpenBSD. Signatures are based on the Ed25519 public-key signature system from D. J. Bernstein and co., and his public domain code once again appears in the base tree of OpenBSD, only a few weeks after some other DJB inventions made it into the nearby OpenSSH as well."

Re:Very surprised that it took this long

[fisted]

Wrong. Using binary package is just considered not the right way to do things, in OpenBSD land.
What you do is, check out the source repository, which does make sure the data you get hasn't been tampered with, then build it from source.
For mass deployments, you can then create binary packages from the result (secure distribution to other machines is your job, however. although that typically isn't much of a concern since it usually happens on the local network.

IOW, your comment is pure BS.

Re:Very surprised that it took this long

[Anonymous Coward]

"Disc" is how English speakers outside the US spell the word describing a round, flat object. The reason one item is referred to as a "floppy disk" and one as a "compact disc" is simply their origin. The Compact Disc was developed by a Philips/Sony team, companies located in the Netherlands and Japan respectively. The floppy disk was developed by US based IBM.

Re:Very surprised that it took this long

[Anonymous Coward]

Majority of Linux installations use RPM or APT, and those had GPG signing since ~2005.

Debian has had it for a while

[Anonymous Coward]

I'm not as familiary with RedHat or SuSe archives, but I did a little digging over at debian.org.

The debian-archive-keyring package changelog shows an initial release on 10 January 2006, or eight years ago.

Digging deeper, the devscripts changelog shows the signchanges program (now called debsign) was added in July 1999. The changelog entry implies that it was to aid an already existing signing system, so Debian has had it for about 15 years, possibly longer.

Now consider that Debian has a reputation as a late adopter.

Probably for bootable CDs

[Animats]

This is probably because they want the signature checker to fit in the CD boot loader. For historical reasons [mit.edu], bootable CDs imitate a floppy during the initial boot process, and contain an image of a 1.44MB floppy with a FAT file system. When you boot an PC-type x86 machine from CD, that simulated floppy (the file "floppy54.fs" for OpenBSD) is read by the BIOS and a file from it is executed.

This process is so retro that the initial program loaded is executed in 16-bit X86 mode.

Re:Floppy disks?

[Tom]

In a recent interview I can't find right now, Theo gave a perfectly good reason for this insane legacy support: OpenBSD is a volunteer project, and some of the most valuable contributors want this stuff to remain. Dumping the legacy systems would most likely mean losing those contributors. If they are important enough to the project, then the legacy support is the price it pays to keep them around.