On Wed, 5 Sep 2012 07:26:26 -0400 Tony Abernethy wrote: > >A very simple addition to the FAQ would not be a problem. > >WOW! This question seems to be asked a lot! > >A simple addition to the FAQ does not seem to be a problem, Nick. > >Yes, I know , a very stupid question asked many times. > >A simplele FUCJ IR > > Perhaps because it is a FAQ not a FASQ. > Seems like stupid questions tend to produce stupid answers. > Seems like users BELIEVING in signatures would make for a much > more easily crackable system. > I always want my enemy to feel secure in quick and easy fixes.
I wouldn't call it a stupid question at all, just an impracticality. After all The build structure and ports are largely sound and likely more secure than any Linux infrastructure. I believe even the source mirrors are less sound and don't run OpenBSD. Signatures are good but yes may offer a false sense of security but still security too, as do checksums. Perhaps the checksum could be signed? To the OP. When checking I choose a source mirror or two and download just the SHA256. There is no sha256 for src.tgz and sys.tgz but you can use ssh for the source code by getting the fingerprint once like for signatures but tied to servers and not devs.
