> To the OP. When checking I choose a source mirror or two and download > just the SHA256. There is no sha256 for src.tgz and sys.tgz but you can > use ssh for the source code by getting the fingerprint once like for > signatures but tied to servers and not devs.
Thanks for trying to help, Kevin, but there are significant weaknesses in your process. How do you upgrade packages? I have PKG_PATH set for root and use "pkg_add -ui". The packages that OpenBSD provides are not signed, so if the mirror from which I get my packages is compromised, so is my computer. If the packages that OpenBSD provides were signed by the OpenBSD project, then I could at least be reasonably confident that the packages were not compromised between their signing and my obtaining them. You say that you download SHA256 from a couple of mirrors to check it. Depending on which mirrors you use and from where they mirror, this does not necessarily provide independent verification. Moreover, anybody that controls a common node between you and the mirrors (e.g., many employees of your ISP) can perform a man-in-the-middle attack such that you get the same compromised files for every mirror (without them even having to compromise the mirrors). This may sound paranoid or far-fetched, but there are tools such as Firesheep that make this relatively easy to do. If the distribution sets that OpenBSD provides were signed by the OpenBSD project, then we could at least be reasonably confident that the distribution sets were not compromised between their signing and our obtaining them. You say that you use SSH for the source code, which is great, except that you need to somehow verify the server's fingerprint the first time. The OpenBSD website doesn't use HTTPS, so again you're vulnerable to a man-in-the-middle attack. Moreover, OpenBSD does not support building ports on systems without X, so if you run OpenBSD on a server without X, then you can't build your own ports from source. If the distribution sets and packages that OpenBSD provides were signed by the OpenBSD project, then we could at least be reasonably confident that the packages and distribution sets were not compromised between their signing and our obtaining them. It's true that signatures may create a "false sense of security" whereby people think they are safer than they actually are because they misunderstand which threats signatures do and do not protect against. However, this is true of any security measure, and is not a reason to avoid it. For example, W^X may create a false sense of security whereby people think that unsafe programming practices are not a problem, but that's not a reason to avoid W^X. It's true that the OpenBSD project would need to keep their keys secure and that building the distribution sets and packages would involve an extra step, but surely this is a trade-off that "the most secure operating system" would be happy to make. Practically every other operating system already does.
