|
OpenBSD Installation and Upgrading Installing and upgrading OpenBSD. |
|
Thread Tools | Display Modes |
|
|||
Quote:
In your future replies to my posts, please do give me a bit of leeway. Quote:
What is that single authority? Thanks in advance for your answer. |
|
||||
For OpenBSD software, it is The OpenBSD Project (the "Project"), in two ways:
|
|
||||
Yep. This is why you are given the SHA-2 hashes -- it is your responsibility to review them and compare them from multiple mirrors.
And while the SHA algorithms are US NIST Standards -- meaning you may not trust them due to the NIST's ties to another famous government agency that can't get out of the news no matter how much it wants to -- they were openly developed and later adopted by NIST, and the hashes can be checked by a vast number of tools across all sorts of computing platforms. |
|
|||
Quote:
If you think you're dumb, I'm even dumber. Quote:
About two to three years ago I attended a seminar hosted by developers of some anonymity software. I think it was Tor or Tails. Anyway one of them advised those who were unable to obtain the developers' public signing keys in person to download their software from several different FTP sites hosted in different countries, compared their digital signatures and over a period of time, if nothing to the contrary shows up, we can then trust their public keys. We know now that this logic is wrong. |
|
|||
Quote:
What if all the mirrors have been compromised? It happened to Gentoo once, many years ago. It was in the news a few months ago that the NSA is planning to recruit 6,000 IT professionals to be sent to all of their offices over the world for assignment. |
|
||||
All the hashes prove is whether the plaintext has been altered. If the message and the hash have been compromised, you are out of luck. If you are comparing hashes from your nearby mirror with hashes from the central distribution site, you have done all you can. You must trust that the central site has not been compromised, or is not otherwise being managed by bad actors.
The addition of a signature framework from the central site merely adds one form of authentication. It does not assure you of anything else. |
|
||||
Quote:
|
Tags |
verify |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
BBC activates iPlayer Flash verification - Locking out open source | J65nko | News | 0 | 25th February 2010 08:51 PM |
Copy w/ active verification | Weaseal | FreeBSD General | 4 | 5th February 2009 12:23 AM |