There's an awful lot there, so I'd like to ask only about the signing issue, since it's something I was curious about once reading a Usenix article insisting signed packages are a necessity (the authors were Arch Linux users IIRC). If we don't trust the channels even for getting a cd in the mail how would we trust that we have the right public key when we authenticate a signature (says the guy whose firefox tells him his corporate self-signed webmail certificate is untrusted and different from previous ones every couple of days and hasn't said anything, i.e. a very trusting user)?
If I get md5 sums from one source and source code from a separate source, that seems okay to me (or at least probably more robust than the actual looking over of the third party source code in the first place). Okay, so md5 can theoretically have collisions but how easy is it, actually, to do a collision and have a binary still run and do some mischief?
For the source code of OpenBSD proper, yeah, I'm getting mine in the U.S. mail, so maybe I'm actually getting NSA/OpenBSD in reality. I guess I could ask my relatives who are still in Canada to buy it for me and pick it up from them, but, frankly, as long as Stephen Harper remains Emperor for life, I'm not sure how much that helps. Guess I should just drive to Calgary and take the code from Theo DeRaadt at gunpoint.