On Wed, Dec 17, 2008 at 03:19:09PM +1100, spamtester spamtester wrote: > I know that i have the freedom to do this. However, my original question > might have been a bit to bitchy. The issue here is that, openbsd devs donate > their good time making packages. Which is great. However, if they could just > / if we modify pkg_create and pkg_add (and the other relevant ones) then the > generation of packages would result in a list of sha1 / md5 / other checksum > to match the packages then this would provide a feature which almost exists > at the present. In packages there is a file which states the md5sums of > parts of it. So i don't see this to be a large jump. I'm not sure that money > is an issue, as checksums for the items within a package already provided.
We moved to sha256 as soon as perl 5.10 included it. The issue is mostly not technical, I've had proof-of-concept signature code since over a year ago, the issue is safe deployment of a correct pki. We think it's worse to sign packages than not to sign them if you don't have a fairly strict process that ensures you have a correct chain of trust. Without that, "signatures" provide a false sense of security that doesn't match anything...
