OpenBSD Moving Towards Signed Packages — Based On D. J. Bernstein Crypto 232
ConstantineM writes "It's official: 'we are moving towards signed packages,' says Theo de Raadt on the misc@ mailing list. This is shortly after a new utility, signify, was committed into the base tree. The reason a new utility had to be written in the first place is that gnupg is too big to fit on the floppy discs, which are still a supported installation medium for OpenBSD. Signatures are based on the Ed25519 public-key signature system from D. J. Bernstein and co., and his public domain code once again appears in the base tree of OpenBSD, only a few weeks after some other DJB inventions made it into the nearby OpenSSH as well."
Very surprised that it took this long (Score:5, Insightful)
Re:Very surprised that it took this long (Score:5, Insightful)
Re:Floppy disks? (Score:3, Insightful)
And when you want to use a hopelessly antiquated computer for something, OpenBSD will be there for you.
Re:Floppy disks? (Score:5, Insightful)
No, it won't make much sense even with that in mind. Even less, in fact.
Embedded systems are usually factory-installed. In the factory, they don't do the installs via floppies. Most OpenBSD installs today are done off their (very good!) CD-ROM media, or maybe even more, by USB.
Floppy disks are used for a tiny percentage of installs (yes, even of *their* installs). Alright, they don't want to dump very old architectures that are known to work and have no other acceptable bood medium, but in the end... Basing the entire OS in the least common denominator takes a toll on the general usability of the system in everyday settings.
Re:Very surprised that it took this long (Score:4, Insightful)
So, do you have a timeline for when other *BSD and Linux distributions switched to signed packages? It looks to me that FreeBSD only started that move at the end of October, and doesn't appear to be there yet. I don't think I would call that a "crushing" lead.
There wouldn't happen to be some trolling going on with your post, is there? Especially the "security by arrogance" bit?
Thu Oct 31 02:10:33 UTC 2013 [freebsd.org]
Pkg 1.2 will be released in the coming month which will bring many
improvements including officially signed packages. FreeBSD 10's pkg
bootstrap now also supports signed pkg(8) installation.
Re:Very surprised that it took this long (Score:4, Insightful)
And how exactly do you get the OS and compilers to build the source code with?
Re: Probably for bootable CDs (Score:4, Insightful)
But, if you are booting from CDs, and the CD has the rest of the media, why do you need the utility for verifying signatures on the boot media (1.44MB image)? Bootstrap the installation image from the iso9660 part of the CD (or network in the case if a network install)? and have that contain the signature verification utility.
Hint: RPM-baswd distro have been doing this since rpm 3.x, or about 1999.
Really, who uses floppies for installation these days? Sure, maybe floppy emulation on a DRAC or iLO or ILOM, but they all
-support CDROM or DVD emulation
-PXE boot (with relatively large images possible via TFTP)
If none of these are options, just write the whole (hybrid) ISO image to a 4GB USB flash disk and be done with it.
I personally haven't used an actual CD-RW or DVD to install a syatem in about 5 years. Either network install booted via PXE for servers, or USB flash disk for laptops.
Re:Very surprised that it took this long (Score:5, Insightful)
Theo is the same that he's been for the last 20 years, on the one hand he's militant about the BSD license which gives away all the code to multi-billion corporations then a giant crybaby when the same corporations take the code and give him nothing but a cold shoulder in return. Oddly enough he's managed to gather a small following which barely keeps OpenBSD alive, usually by threatening to shut down OpenSSH development which is their only true success but this is neither the first nor the last time he's making such ultimatums.
If Linus is the benevolent dictator for life, Theo is the not-so-benevolent dictator for life. He started OpenBSD so he could run the show and any oppositition is harshly cut down. Don't argue with him about how the project's managed, what costs are necessary, everything is as Theo has decided it should be and he's only complaining that nobody is willing to fund his masterpiece. Your input is not wanted, just your wallet and he treats everyone from the smallest individual contributor to giant corporations the same. He's got balls of steel and an ego the size of a planet, but in the end he'll always be going around with a beggar's cup.