Follow Slashdot stories on Twitter


Forgot your password?
Encryption Operating Systems BSD

OpenBSD Moving Towards Signed Packages — Based On D. J. Bernstein Crypto 232

ConstantineM writes "It's official: 'we are moving towards signed packages,' says Theo de Raadt on the misc@ mailing list. This is shortly after a new utility, signify, was committed into the base tree. The reason a new utility had to be written in the first place is that gnupg is too big to fit on the floppy discs, which are still a supported installation medium for OpenBSD. Signatures are based on the Ed25519 public-key signature system from D. J. Bernstein and co., and his public domain code once again appears in the base tree of OpenBSD, only a few weeks after some other DJB inventions made it into the nearby OpenSSH as well."
This discussion has been archived. No new comments can be posted.

OpenBSD Moving Towards Signed Packages — Based On D. J. Bernstein Crypto

Comments Filter:
  • by fisted ( 2295862 ) on Sunday January 19, 2014 @01:02AM (#46003185)

    Wrong. Using binary package is just considered not the right way to do things, in OpenBSD land.
    What you do is, check out the source repository, which does make sure the data you get hasn't been tampered with, then build it from source.
    For mass deployments, you can then create binary packages from the result (secure distribution to other machines is your job, however. although that typically isn't much of a concern since it usually happens on the local network.

    IOW, your comment is pure BS.

  • by Anonymous Coward on Sunday January 19, 2014 @01:53AM (#46003373)
    "Disc" is how English speakers outside the US spell the word describing a round, flat object. The reason one item is referred to as a "floppy disk" and one as a "compact disc" is simply their origin. The Compact Disc was developed by a Philips/Sony team, companies located in the Netherlands and Japan respectively. The floppy disk was developed by US based IBM.
  • by Anonymous Coward on Sunday January 19, 2014 @02:48AM (#46003521)

    Majority of Linux installations use RPM or APT, and those had GPG signing since ~2005.

  • by Anonymous Coward on Sunday January 19, 2014 @03:03AM (#46003567)

    I'm not as familiary with RedHat or SuSe archives, but I did a little digging over at

    The debian-archive-keyring package changelog shows an initial release on 10 January 2006, or eight years ago.

    Digging deeper, the devscripts changelog shows the signchanges program (now called debsign) was added in July 1999. The changelog entry implies that it was to aid an already existing signing system, so Debian has had it for about 15 years, possibly longer.

    Now consider that Debian has a reputation as a late adopter.

  • by Animats ( 122034 ) on Sunday January 19, 2014 @03:38AM (#46003667) Homepage

    This is probably because they want the signature checker to fit in the CD boot loader. For historical reasons [], bootable CDs imitate a floppy during the initial boot process, and contain an image of a 1.44MB floppy with a FAT file system. When you boot an PC-type x86 machine from CD, that simulated floppy (the file "floppy54.fs" for OpenBSD) is read by the BIOS and a file from it is executed.

    This process is so retro that the initial program loaded is executed in 16-bit X86 mode.

  • Re:Floppy disks? (Score:5, Informative)

    by Tom ( 822 ) on Sunday January 19, 2014 @06:10AM (#46004099) Homepage Journal

    In a recent interview I can't find right now, Theo gave a perfectly good reason for this insane legacy support: OpenBSD is a volunteer project, and some of the most valuable contributors want this stuff to remain. Dumping the legacy systems would most likely mean losing those contributors. If they are important enough to the project, then the legacy support is the price it pays to keep them around.

Each honest calling, each walk of life, has its own elite, its own aristocracy based on excellence of performance. -- James Bryant Conant