Em 22-07-2014 12:17, Peer Janssen escreveu: > I'm trying to establish a clean and uninterrupted trail of trust > (integrity-wise) from Alice the OpenBSD devs to the OpenBSD 5.5 CD set I > recently bought in a bookshop in a big german city. This proves > surprisingly difficult. Yep. There is no way to completely trust it. And perhaps there never will be. Some projects have DNSSEC for their official mirrors, others SSHFP records alongside it for their source code repositories. But you can never ultimately trust anything. I (and others) discussed this earlier on this list and also on tech@. What I currently do that increase my odds of getting either the source code or compiled releases without tampering, is that I download many times the sets, hashes using many ISP's, VPN's, even tor and compare all them to see if they were not tampered with. With the release of 5.5 I took even extra care to try to get the "right" thing, since it do have the signify keys that will sign the 5.6 release. Ideally I (and anyone a bit paranoid) should have an airgapped physical OpenBSD 5.5 (and 5.6, 5.7 and so on) machine that would only be used for verifying the next release. What I have currently is an airgapped VM on my latptop that will be used only for that purpose. > So now I'm somewhat excited to install and dive more into that "distro" > and discover more of it. Good luck with that. Just please, refrain from using linuxisms on a BSD list.
Cheers, -- Giancarlo Razzolini GPG: 4096R/77B981BC
