OpenBSD Moving Towards Signed Packages — Based On D. J. Bernstein Crypto

ConstantineM writes "It's official: 'we are moving towards signed packages,' says Theo de Raadt on the misc@ mailing list. This is shortly after a new utility, signify, was committed into the base tree. The reason a new utility had to be written in the first place is that gnupg is too big to fit on the floppy discs, which are still a supported installation medium for OpenBSD. Signatures are based on the Ed25519 public-key signature system from D. J. Bernstein and co., and his public domain code once again appears in the base tree of OpenBSD, only a few weeks after some other DJB inventions made it into the nearby OpenSSH as well."

Very surprised that it took this long

[ModernGeek]

I'm surprised that this wasn't implemented a long time ago. Even Windows has had signed code for quiet some time.

Re:Very surprised that it took this long

I'm just bothered that such a decision was made based off of the arbitrary capacity of a floppy diskette. The Floppy-based installer should compensate by having it fit across multiple disks and stored into RAM, or some other solution. What's next? Something won't run on a machine with less than 8MB of RAM, so it will be shoved off?

Re:Very surprised that it took this long

At least you spelled disk the right way.... A floppy disc would have a hard time loading into a CD tray.

Re:Very surprised that it took this long

OpenBSD is security by arrogance: nobody cares much to pay any attention to it, and anyone who comes with good intentions gets shouted down.

Distributing unsigned packages in 2014 shows such a lack of concern for even the most basic risks facing administrators and end users that I can only assume it was intentional.

Re:Very surprised that it took this long

[sumdumass]

Nah. the floppy discs work just fine. I remember getting them with cereal boxes in the mid to late 90s. You could do about anything other then fold them in half and they would still work for a while. After about 20 uses, you needed another though.

http://en.wikipedia.org/wiki/Chex_Quest

Here is an example. I think they were made of cardboard but some were made out of the plastic like what you would see on a floppy cutting board. Usually they were part of the box and you needed to cut them out in order to use them.

Re:Very surprised that it took this long

[fisted]

Wrong. Using binary package is just considered not the right way to do things, in OpenBSD land.
What you do is, check out the source repository, which does make sure the data you get hasn't been tampered with, then build it from source.
For mass deployments, you can then create binary packages from the result (secure distribution to other machines is your job, however. although that typically isn't much of a concern since it usually happens on the local network.

IOW, your comment is pure BS.

Re:Very surprised that it took this long

[cold+fjord]

So, do you have a timeline for when other *BSD and Linux distributions switched to signed packages? It looks to me that FreeBSD only started that move at the end of October, and doesn't appear to be there yet. I don't think I would call that a "crushing" lead.

There wouldn't happen to be some trolling going on with your post, is there? Especially the "security by arrogance" bit?

Thu Oct 31 02:10:33 UTC 2013

Pkg 1.2 will be released in the coming month which will bring many
improvements including officially signed packages. FreeBSD 10's pkg
bootstrap now also supports signed pkg(8) installation.
 

Re:Very surprised that it took this long

"Disc" is how English speakers outside the US spell the word describing a round, flat object. The reason one item is referred to as a "floppy disk" and one as a "compact disc" is simply their origin. The Compact Disc was developed by a Philips/Sony team, companies located in the Netherlands and Japan respectively. The floppy disk was developed by US based IBM.

Re:Very surprised that it took this long

[Sean]

And how exactly do you get the OS and compilers to build the source code with?

Re:Very surprised that it took this long

Linux based bios

Re:Very surprised that it took this long

Majority of Linux installations use RPM or APT, and those had GPG signing since ~2005.

Re: Very surprised that it took this long

i'm bothered by the fact that you feel the capacity of a floppy disk is arbitrary. If the HDD makers get wind of this we are all in trouble.
I mean nobody cares anymore that they round up to 00000's and give us some crap about binary vs decimal, cause hard drives are so big now. But if you think i'm gonna buy a hard drive with some arbitrary number of bytes, or bits and not even know till i plug it in?
Man, you are the devil !

Re:Very surprised that it took this long

[hairyfeet]

Well considering the fact that OpenBSD is in danger of shutting down due to lack of funding I really don't think starting this NOW is the greatest of ideas. Click on the comments to the article I linked to and they have a letter from de Raadt berating some for daring! to suggest that they might not ought to support a shitload of ancient formats like VAX if they are losing THAT much cash so I'd be amazed if they are here next year.

I'm sure I'll get hate from the *BSD fans but truth is truth and when you are bleeding cash like that you can NOT just give everyone a bad attitude and a "we deserve this", not when you are counting on those same people to support you. Either de Raadt stops running that huge mound of servers or they bleed to death, simple as that. And from the looks of that letter he'd be perfectly happy with it being the latter if it means giving an inch otherwise. Sorry guys but I've dealt with "never give an inch" types in business and in my exp they usually end up bankrupt. The wise owner rolls with the punches and accepts there is gonna be downturns, the arrogant owner says "I deserve it all" and runs the company into the ground.

Re:Very surprised that it took this long

Don't forget that they make high level decisions based on floppy disk support in 2014.

Re:Very surprised that it took this long

[dbIII]

If they go under that just means no conference and having to beg server space from someone. Volunteer groups go over the edge all the time and comparing them to a business is pointless since the aims are very different.

Re:Very surprised that it took this long

[fisted]

Those "probably" (read: as is the case for any other OS) come with the installation media, which is an entirely different matter.

Re:Very surprised that it took this long

[citizenr]

It doesnt have to be secure, nobody uses openbsd outright.
It exists solely for the purpose of begging for donations while at the same time letting big corporations take its code and include in their products without giving back.

Re:Very surprised that it took this long

I fail to see why a BIOS would use the kernel of a general-purpose operating system.

Re:Very surprised that it took this long

It's probably important to note that FreeBSD only really distributed packages as a courtesy. They were not updated in any way. There was a set that was made to put on the DVD or to `pkg_add` and get up to speed quickly. The expectation was that you would use ports and tweak everything to get the system you really wanted. This ideology has been dead for a long time, but package tools are hard and the infrastructure wasn't magically just there either. The new pkg tools are the product of years of development and back end planning. FreeBSD is now moving towards packages that have "sane defaults" and ports just being the build infrastructure for automation and masochists. Recently, Theo started throwing stones from his glass house over FreeBSD not signing packages while knowing full well it was already implemented in the new pkg tool. Meanwhile, OpenBSD had no such implementation for signing packages itself.

Re:Very surprised that it took this long

[stderr_dk]

I fail to see why a BIOS would use the kernel of a general-purpose operating system.

Nevertheless that is what coreboot does. It used to be known as LinuxBIOS.

Re:Very surprised that it took this long

Those "probably" (read: as is the case for any other OS) come with the installation media, which is an entirely different matter.

I can name at least one OS that doesn't come with a compiler on the installation media.

Re:Very surprised that it took this long

If they go under that just means no conference and having to beg server space from someone.

Didn't someone already offer them server space, but they reject the idea?

Re:Very surprised that it took this long

[allo]

disc = cd/dvd/...
disk = hard disk, floppy disk, ... (disc in a box, if you want so)

Re:Very surprised that it took this long

[Knuckx]

Coreboot doesn't use linux at all. Coreboot just initalises hardware, then loads a payload from ROM. That payload can be a Legacy BIOS service provider (SeaBIOS), an EFI environment (TianoCore), a bootloader (U-Boot, GRUB2), a Linux kernel, or pretty much any x86 code that does not require any BIOS/EFI services present.

Re:Very surprised that it took this long

[aliquis]

Installation media which you can generate a md5 hash for or whatever.

Re:Very surprised that it took this long

[aliquis]

But they likely want to keep it being just ONE floppy.

Not bloat it like NetBSD which require TWO floppies.

(FreeBSD seem to be even worse! ..)

Re:Very surprised that it took this long

[aliquis]

disc = English
disk = Svenska

Re:Very surprised that it took this long

Meanwhile, back in the real world, system administrators generally consider having a complete toolchain installed on every single machine is a security vulnerability in itself.

What you do is, check out the source repository, which does make sure the data you get hasn't been tampered with

Well gee, if only someone had invented a method to sign binary packages so you could be sure the data you get hasn't been tampered with?

Re:Very surprised that it took this long

[K.+S.+Kyosuke]

I think you missed the "used to be" part of his comment. As in, what you're talking about is "now", and what he was talking about was "back then".

Re:Very surprised that it took this long

The real news is that BSD considers binary packages as an alternative to source deploys. The source was secured and you could look into it if you wanted. Binary patches and updates are the new stuff. Binary packages already existed, but weren't used that much.

And now the funny part: It takes me longer to download than compiling the source code for any software. (Ok. Not really anything. OpenOffice is an exception.)

Re:Very surprised that it took this long

[Clsid]

I don't know, surely de Raadt has a reputation, but those guys have done a great thing in general. Having that attitude is what helps getting stuff done most of the time instead of happy hand holding, we are all good friends kind of attitude. Not signing packages and not wanting to use gnupg is kind of absurd, but I have seen weirdest attitudes in the free software world, like sticking with Vi instead of quick edit and easier tools like nano, or this whole thing about gnu info vs man pages.

I have been using Debian for my servers, but I'm seriously considering switching to OpenBSD mostly because it provides a barebones installation that is mostly secured by default. That and stability is what I value the most for servers and these guys deliver big time.

Re:Very surprised that it took this long

[Knuckx]

I can very clearly see and read his comment: it said "Nevertheless that is what coreboot does.", and that is what I responded to. The "used to be" part of his comment is quite clearly refering to the name change, and not to a change of scope. In fact, if you had read what you linked to, you would realise that coreboot/LinuxBIOS has never used the linux kernel for anything past a payload (linux was the orignal payload, as the old name suggested) - it is not (and never has been) involved in the hardware initialisation at all.

Re: Very surprised that it took this long

Whooooooosh.

(Point of the posting)
^
|
3 kilometres of air
|
V
(Your head)

Re: Very surprised that it took this long

8", 5.25" or 3.5" ?

Re: Very surprised that it took this long

Windows? Oh wait. You meant operating systems. Sorry.

Re:Very surprised that it took this long

The disk of floppy disks is a round flat object, I bet you're to young to ever come close to one.

Re:Very surprised that it took this long

Yes indeed: Finally. And about the wat, the difference ours better now. A definition is a short start line to a long track of knowledge.

Re:Very surprised that it took this long

[PopeRatzo]

I thought "disc" was how people from Montreal spelled "disk".

Live and learn.

Or maybe I'm thinking of "disque"

Either way, floppy disks? Really?

Re:Very surprised that it took this long

[Kjella]

Theo is the same that he's been for the last 20 years, on the one hand he's militant about the BSD license which gives away all the code to multi-billion corporations then a giant crybaby when the same corporations take the code and give him nothing but a cold shoulder in return. Oddly enough he's managed to gather a small following which barely keeps OpenBSD alive, usually by threatening to shut down OpenSSH development which is their only true success but this is neither the first nor the last time he's making such ultimatums.

If Linus is the benevolent dictator for life, Theo is the not-so-benevolent dictator for life. He started OpenBSD so he could run the show and any oppositition is harshly cut down. Don't argue with him about how the project's managed, what costs are necessary, everything is as Theo has decided it should be and he's only complaining that nobody is willing to fund his masterpiece. Your input is not wanted, just your wallet and he treats everyone from the smallest individual contributor to giant corporations the same. He's got balls of steel and an ego the size of a planet, but in the end he'll always be going around with a beggar's cup.

Re:Very surprised that it took this long

I've still got a copy of WordPerfect for DOS, unopened, still in its shrink wrap. It's something like five or six 5.25" floppy discs.

Re:Very surprised that it took this long

What the heck?
What you say makes sense, but it's wrong.
A "package" is defined as a binary executable, and a "port" is defined as the source (using OpenBSD's terminology). And, I quote,
http://www.openbsd.org/faq/faq15.html#PkgVsPorts

"In general, you are highly advised to use packages over building an application from ports. The OpenBSD ports team considers packages to be the goal of their porting work, not the ports themselves." ...
"Why go through this much time and effort, when the programs are already compiled and sitting on your CD-ROM or FTP mirror, waiting to be used?"
Actually, the page discusses some possible reasons why, but then states,
"However, for most people and most applications, using packages is a much easier, and definitely the recommended way of adding applications to an OpenBSD system."

Maybe using a binary package isn't the actually right/secure way, but it definitely is "considered" to be "the right away to do things", exactly in contrast to your statement.

Re:Very surprised that it took this long

[Bengie]

I'm surprised that this wasn't implemented a long time ago. Even Windows has had signed code for quiet some time.

Having code signed by a central CA seems to be again what OpenBSD and FreeBSD are trying to do. They don't want to play god and gate keeper. They held off as long as they could to see if a new distributed public key system could have came out. Unfortunately, a new public key system has not come out and the security benefit is too grate, even if against their ideology.

Re:Very surprised that it took this long

[Bengie]

"Good intentions" may be enough for Linux, but OpenBSD likes to have reasoning behind the ideas. Actually, OpenBSD's target isn't even that of being used, which is why it doesn't support proper multi-threading. Their entire focus is making is secure and doing it correctly the first time. It's a platform that aims more for theoretically correct designs, but it just so happens to be quite decent in many practical applications, like firewalls.

Re:Very surprised that it took this long

GPL exists for the sole purpose to get lots of shitty programmers being able to commit their bug riddled spaghetti code back to trunk. I'll take quality over quantity anyday. GPL has some strange fetish with wanting more and more committers. OMG! We got more companies committing back than any other license! We are superior in EVERY way! Their code seems fine until 5 years down the road, it gets replaced. If your shitty code design can't last 10 years, stop polluting with your crappy code!

Re:Very surprised that it took this long

[chriscappuccio]

Yeah, because using a large and unwieldy package would have made it so much more useful, trustworthy, right?

Re:Very surprised that it took this long

[chriscappuccio]

If you get packages from an official FTP/HTTP site or CD, then chances are, your biggest adversary is 1. someone who can perform DNS poisoning or 2. the NSA. Guess which one helped spur this into action, at least in some small way?

FreeBSD 10 is the first to offer signed packages, and it is just coming out now. OpenBSD 5.5 isn't that far away.

https://lists.freebsd.org/pipermail/freebsd-pkg/2013-October/000107.html

Re:Very surprised that it took this long

[chriscappuccio]

You're wrong. Using binary packages IS the recommended way to go in OpenBSD land.

Re:Very surprised that it took this long

[chriscappuccio]

Please explain how floppy support is degrading security. I'd like to see this one.

Re:Very surprised that it took this long

[chriscappuccio]

Nobody uses OpenBSD outright? Wow. I could have swore that over 80 computers in my immediate vicinity at home and work run..hmm..What is that called? OpenBSD?? Yeah, I think that's what they run.

Re:Very surprised that it took this long

[abirdman]

My "official" copy of WordPerfect was the last (group) of floppy disks I owned (along with a licensed copy of MASM). But do you have the function key template, without which WP is practically useless?

Re:Very surprised that it took this long

You, Sir, owe me a new keyboard.

Re:Very surprised that it took this long

[TheRaven64]

What you do is, check out the source repository, which does make sure the data you get hasn't been tampered with, then build it from source.

Actually, it doesn't. OpenBSD is still using CVS for revision control. After the FreeBSD cluster compromise a couple of years ago, we found that the CVS repository was the one thing whose integrity we could not verify. The current FreeBSD CVS repository was created by exporting from subversion (which could be verified) and validating it against git (which also can be verified).

Oh, and OpenBSD does recommend getting the binary packages over using ports (but they don't release security fixes for binary packages, and don't support using a ports tree revision that doesn't match your base system revision), and they recommend getting binary packages with unencrypted, unauthenticated, FTP.

Re:Very surprised that it took this long

[TheRaven64]

FreeBSD systems traditionally built their own packages from the ports tree. The shipped packages are really just the ones that go on the install media, which are typically out of date by the time you get around to installing it. With the new pkg(7) infrastructure, we are properly supporting binary packages and part of the requirement for this was that we'd sign them and distribute the keys out of band. The signing keys are currently distributed using freebsd-update, which was designed to do binary updates of the base system and does use signed deltas. These are then used by the pkg tool to verify packages.

Prior to this, we were distributing the ports tree using the portsnap utility, which also does cryptographic verification of the downloads using the same mechanism as freebsd-update.

Re:Very surprised that it took this long

Are you retarded? Or maybe your reading comprehension is sub par? That was the entire point of my post. That "disc" is not some special brand name for CDs but simply is the way the word is spelled outside the US

Re:Very surprised that it took this long

[chriscappuccio]

Or Windows 8.1 which requires, well, a LOT of floppies.

http://blog.dk.sg/2013/10/25/upgrading-to-windows-8-1-using-3-5-floppy-disks/

Re:Very surprised that it took this long

[chriscappuccio]

You do have to download the source...

Re:Very surprised that it took this long

[chriscappuccio]

I suspect you'll be very happy with the pre-release for OpenBSD 5.5. For amd64,

ftp://ftp.openbsd.org/pub/OpenBSD/snapshots/amd64/

and signed packages:

ftp://ftp.openbsd.org/pub/OpenBSd/snapshots/packages/amd64/

It's also quite nice on the desktop, with Intel and Radeon KMS from the Linux 3.8 series.

Re:Very surprised that it took this long

[unixisc]

Actually, for the comments, one has to go pretty deep, so here it is

Yeah, I too think that OS won't be around too long, so it will be down to FreeBSD and NetBSD. On the Linux side of things, even distros like Debian have discontinued support for things like HP PA-RISC, which is less ancient than VAX. FreeBSD has dropped support for DEC Alpha. That's what not just companies, but even volunteer organizations do when a platform is no longer in circulation. Yet that rack had a number of ancient boxes like VAX, PowerMacs, SPARCstation 20 (i.e. SPARC32), and more. Things that don't get built anymore.

He could cross-compile for older platforms on Xeons, while still keep currently selling boxes, such as HP Integrity servers, Sun SPARC and IBM POWERservers. He'd get his diverse architectures, and he'd save his electric bills. But since OpenBSD has a policy against cross-compiling, looks like they'll just have to go down.

Can nobody else fork OpenSSH, if he's threatening to end that if he isn't funded?

Re:Very surprised that it took this long

Nobody uses OpenBSD outright? Wow. I could have swore that over 80 computers in my immediate vicinity at home and work run..hmm..What is that called? OpenBSD?? Yeah, I think that's what they run.

Yep, Slashdot is full of dummies that hate OpenBSD.
I run only OpenBSD on my desktop, I do everything on it and I'm not an IT person or programmer(unless you call soldering a programming language).

Re: Very surprised that it took this long

[sabri]

3 kilometres of air

I'm sorry, that is not something that the average American will understand. Next time, write "3.2 Kilometers of air" and we can translate it with "2 Statute Miles of air" :)

Re: Very surprised that it took this long

None of which are signed. I guess you can buy official CDs, or download the image from FTP and compare hashes with what's been posted on mailing lists, possi

Re:Very surprised that it took this long

"Not the right way to do things in OpenBSD land"

ie, backwards, outdated and just plain stupid.

The fact they are just adding a basic security feature now is outright inept to the point that I hope they can't raise the funds to continue the project, they are doing a disservice to security.

Re:Very surprised that it took this long

[ConstantineM]

Using binary package is just considered not the right way to do things, in OpenBSD land.

Entirely false. Binary packages, installed with pkg_add from a nearby mirror, has been the recommended way to install ports for as long as I remember (I've been a user for some 10 years, and a developer, too). I've never heard of anyone compiling packages directly from ports in OpenBSD. Not even the developers, unless they're port developers, that is.

Even for the kernel itself, it is highly recommended for non-developers to only run the binary snapshots.

Unless one is tracking the stable branch, which has no official binary builds, then compiling from source tree is only ever advised for the developers.

Re:Very surprised that it took this long

[fisted]

Admittedly I was only inferring from NetBSD.
Reading the OpenBSD FAQ, it in fact seems to recommend using binary packages, unsigned, transmitted over an insecure channel, which, frankly is retarded and should be fixed, unless signify is really really near.

Re:Very surprised that it took this long

[fisted]

What the heck? What you say makes sense, but it's wrong.

Looking closer, the FAQ is wrong here.

A "package" is defined as a binary executable, and a "port" is defined as the source (using OpenBSD's terminology).

Yes. This is about who builds the package, though. It's a bit vague terminology, but for my purposes, 'using a port' means building it yourself and installing the resulting package, while 'using a binary package' means fetching the prebuilt package from somewhere else.
With this out of the way..

And, I quote, http://www.openbsd.org/faq/faq15.html#PkgVsPorts

"In general, you are highly advised to use packages over building an application from ports.

Well frankly I have no idea why there's such utter BS in the FAQ.
It essentially tells us we're ``highly advised'' to fetch unsigned tarballs over plaintext ftp, when the alternative way is the admittedly antiquitated but at least secure cvs-over-ssh checkout.
Every security-minded person with half a brain can figure.

Maybe using a binary package isn't the actually right/secure way, but it definitely is "considered" to be "the right away to do things", exactly in contrast to your statement.

Your argument is essentually argument-by-authority, although I admit I usually trust official FAQs, too. This seems really odd.

On the upside, when signify is done, they at least don't need to update the FAQ, since then using binary packages will be equivalently secure.

Re:Very surprised that it took this long

[fisted]

And the CVS transport used in OpenBSD is.....? *drumroll*

Re:Very surprised that it took this long

[fisted]

And why would you do that? Going that way you're easily MITM'ed.

Can you give some better reason than 'everyone does it'?

Why exactly would you prefer an insecure transmission channel over a reasonably secure one, for the software you install? How does that even remotely fit the OpenBSD mindset?

Even for the kernel itself, it is highly recommended for non-developers to only run the binary snapshots.

This sounds just as stupid, and I'm tempted to believe it's only recommended to raise the signal-to-noise in crash reports. Crash dumps from custom kernels are harder to analyze for other developers than if the generic one was used.

Re:Very surprised that it took this long

> which is why it doesn't support proper multi-threading

It has for a couple of years now.

Re:Very surprised that it took this long

I find it strange that everybody shits on de Raadt about his attitude, yet when his lord highness Torvalds acts even worse suddenly it's OK http://cdn.arstechnica.net/wp-content/uploads/2013/02/linus-eff-you-640x363.png

Exactly what is easier/better about nano??

The man vs gnuinfo goes back to the troff vs TeX wars. Having written a dissertation in both I'll take the freedom of troff rather than the straight-jack of TeX

Re:Very surprised that it took this long

[ConstantineM]

And why would you do that? Going that way you're easily MITM'ed.

Can you give some better reason than 'everyone does it'?

Why exactly would you prefer an insecure transmission channel over a reasonably secure one, for the software you install? How does that even remotely fit the OpenBSD mindset?

Maybe it doesn't, but that's not a good reason to claim of a widespread practice, "in OpenBSD land", that's completely foreign to anyone actually familiar with OpenBSD.

I repeat: I don't know of anyone who compiles software from ports all the time (besides, that's not that much more secure, since the ports tree itself isn't signed, either). A `pkg_add` from a nearby mirror is what gets things done for the vast majority of people. Many mirrors are run by developers; personally, I wouldn't use any mirror that wasn't; and yes, especially in light of the recent revelations, this does leave some room for a Government-in-the-Middle attack, which is probably exactly the reason of why this won't be as it was anymore.

Re:Very surprised that it took this long

[chriscappuccio]

It's already part of the -current snapshots. It will be a feature in 5.5 for base, packages and firmware.

Re:Very surprised that it took this long

[ConstantineM]

http://openbsd.org/faq/faq15.html#Ports

"Everyone is encouraged to use the pre-compiled binary packages."

Re:Very surprised that it took this long

[fisted]

(besides, that's not that much more secure, since the ports tree itself isn't signed, either).

Checking out the ports tree via cvs+ssh means i can be reasonably sure that i get in fact the right thing, including distfile hashes.
So yeah, it is much more secure.

As for the ``but it's so hard to compile ports'' argument, i have to admit i was only infering from what I'm used to from Net- and FreeBSD.

So, what exactly is the big deal with compiling ports on OpenBSD? Now i'm honestly curious.

Re:Very surprised that it took this long

[fisted]

Yes, I get it, you're a big fan of argument-by-authority.
Try something new for a change: Think for yourself *gasp*, and explain why exactly the FAQ encourages this, and the security implications of it.

Re: Very surprised that it took this long

Been ten years since I've been to Slashdot and nothing has changed.

Re:Very surprised that it took this long

[thomas8166]

Wrong. The OpenBSD FAQ expressly recommends packages over ports.
http://www.openbsd.org/faq/faq15.html#PkgVsPorts

Re:Very surprised that it took this long

[fisted]

you're the 3rd or 4th one to point this out. i have replied to this somewhere else in the discussion

Re: Very surprised that it took this long

Compact Disc is spelled disc because disk was a dictionary word and you can't trademark a phrase that's entirely dictionary words.

It's the same reason Blu-ray isn't spelled Blue-Ray.

tl;dr - you're wrong

Re:Very surprised that it took this long

[Cyclops]

Majority of Linux installations use RPM or APT, and those had GPG signing since ~2005.

Actually, Red Hat's RPM usage included gpg signing of each of the packages individually since before 2000 :)

Re:Very surprised that it took this long

[BasharTeg]

You think that's bad, try Kings Quest 5, the last version offered on floppy disk. Shit's ridiculous, and then one of the floppies goes bad.

Re: Very surprised that it took this long

[Cid+Highwind]

That's backwards.

"Disc" is a non-trademarkable dictionary word for any round, flat object.
"Disk" is a shortened form of "Diskette", which was an IBM trademark for 8" floppy disks (and later their 5.25" and 3.5" descendants).

Re:Very surprised that it took this long

I never did finish KQ5 for this very reason. Thanks for the rage inducing flashback.

Re: Very surprised that it took this long

[MareLooke]

I'll just leave this here.

I tried signing mine

But I found that the marker caused some skin irritation. Anyone else find this, or figure out a good treatment?

Re:I tried signing mine

Yeah but I highly doubt you'd have trouble fitting your package into a floppy.

First thought upon seeing the headline:

[macraig]

What does openBSD have to do with tattooing your Johnson?

Re:First thought upon seeing the headline:

You can whack off in safety knowing that your OpenBSD box is secure because nothing runs on it except DJB software.

Re:First thought upon seeing the headline:

[cold+fjord]

They don't have much of a budget for advertising.

Re:First thought upon seeing the headline:

Get yourself a nice, satisfied looking Puffy there and the ladies will never look you the same afterwards.

Re:First thought upon seeing the headline:

[Megahard]

That's why it has to fit on a floppy.

Re:First thought upon seeing the headline:

One of the funniest /. comments I've ever read, especially with that name...

Re:openbsd is comprimised by NSA

DJB accepted NSF grants?!!

Floppy disks?

[thue]

Being limited by floppy disk support requirement sounds like a bad joke. Is that really relevant for any computer which is not hopelessly antiquated in 2014? For reference, Apple stopped shipping floppy disk drives by default in 1998.

Re:Floppy disks?

And when you want to use a hopelessly antiquated computer for something, OpenBSD will be there for you.

Re:Floppy disks?

[Daniel_Staal]

Well, I haven't followed the discussion, but I do know that one of OpenBSD's major markets is basically semi-embedded systems: Firewalls and routers. It's likely they won't have much in the way of external storage attachment, or much in the way of internal storage at all. Given that, it might make sense. I don't know.

Re:Floppy disks?

[gwolf]

No, it won't make much sense even with that in mind. Even less, in fact.

Embedded systems are usually factory-installed. In the factory, they don't do the installs via floppies. Most OpenBSD installs today are done off their (very good!) CD-ROM media, or maybe even more, by USB.

Floppy disks are used for a tiny percentage of installs (yes, even of *their* installs). Alright, they don't want to dump very old architectures that are known to work and have no other acceptable bood medium, but in the end... Basing the entire OS in the least common denominator takes a toll on the general usability of the system in everyday settings.

Re:Floppy disks?

You're right, maybe we should accept that times are changing. OS installation in a security and mission critical environment should be done by USB. Or even a direct Internet connection. Inspecting the content that is being installed and verifying that the installation medium contains exactly what it should sounds uncool.

What could possibly need more security than a computer used to draw pretty pictures on?

Re:Floppy disks?

[Daniel_Staal]

I said semi-embedded for a reason: I'm more thinking of hobiest/custom firewalls and routers. The ones from the factory tend to run a version of Linux or PFSense - But you can get similar devices from manufacturers without an OS that you can install your own OS onto.

Not that I'm sure I disagree with you. Just trying to think of a rational reason and give them the benefit of the doubt. However hard that is.

Re:Floppy disks?

Halp! I can't find my router's floppy disc drive. What do? Please advise! :^D

p.s. I got rid of my last PC with a floppy drive about 5 years ago.

Re:Floppy disks?

And i still use floppy drives because it makes it dead simple to install OpenBSD.

What was your point again? ah yes _you_ personally have no need for this so nobody else should have the option available.

Re:Floppy disks?

[TarPitt]

As far as OpenBSD is concerned, "the general usability of the system in everyday settings" is the bottom priority.

No, in fact the lack of general usability is a goal OpenBSD strives for.

Be grateful they aren't still using punched paper tape for installs.

Re:Floppy disks?

The point was the GGP implied the need for a floppy-disc installer was for routers.
WHOOSH.

Re:Floppy disks?

[dbIII]

Being limited by floppy disk support requirement sounds like a bad joke

Why are you making it then? Out of the dozen machines I've put *bsd on there is only one that had a floppy disk drive. I installed via USB on that one just like all the others.

Re:Floppy disks?

Yeah. But until that time comes, let's keep making fun of it!

Re:Floppy disks?

Routers often run on actual server hardware with plenty of options to attach different drives. Routers are far from all "a little blinking box in the corner". No wooshing sound whatsoever here. (that the grandparent also seems to get this wrong as if routers/firewalls have to be tiny embedded systems does not excuse anyone). Then you have VMs where you just attach a floppyimage and have it download the updated system from an internal build machine. So many options - so little WOOSH sound

Re:Floppy disks?

[jawtheshark]

I gather that more serious OpenBSD admins simply boot from network and be done with it. (Google PXE, if you haven't got a clue what I'm talking about) I haven't used a USB or CD-Rom for ages to install mainstream Linuxes or OpenBSD.

Re:Floppy disks?

[Tom]

In a recent interview I can't find right now, Theo gave a perfectly good reason for this insane legacy support: OpenBSD is a volunteer project, and some of the most valuable contributors want this stuff to remain. Dumping the legacy systems would most likely mean losing those contributors. If they are important enough to the project, then the legacy support is the price it pays to keep them around.

Re:Floppy disks?

Being limited by floppy disk support requirement sounds like a bad joke.

Well, about 6 months ago, I needed to update the bios on a server I had. The only way to update the bios was to boot the installer from a floppy. The installer would not run from a bootable CD or from PXE.

Fortunately I keep an old usb floppy drive for this purpose. The server was about 3 years old.

Re: Floppy disks?

Makes perfect sense, thanks for a rational answer.

Re:Floppy disks?

[chriscappuccio]

It's about discipline more than supporting old hardware. Maybe you've heard of it?

Re:Floppy disks?

[chriscappuccio]

The "general usability of the system" is actually one of the top priorities. Sane defaults, few knobs, easy installer. Of course, if "usable" means "GUI that my grandmother could use" then maybe it doesn't fit your definition. But, "usable" for anyone who has any CLI experience whatsoever means that OpenBSD is going to be quicker to install, and easier to get up and running for a particular purpose than almost any other system available.

Re:Floppy disks?

[TheRaven64]

None of these devices have floppy disks though. Compact Flash cards are a more common requirement, as they're basically IDE devices. I had one a few years ago with a custom firewall distribution that fitted onto a 32MB CF card, but a year later it was hard to buy a CF card smaller than 4GB and so I switched to a full OS install.

Re:Floppy disks?

[McDutchie]

Another good reason I found on a relevant mailing list thread is that testing on a large variety of architectures often exposes bugs that remain under the radar otherwise (but may still come to bite users as security holes). That large variety is only available by supporting legacy architectures.

Re:Floppy disks?

[Zero__Kelvin]

And if it wasn't hopelessly antiquated already, just install OpenBSD and, like magic ... POOF ... it is antiquated!

floppy?

Do they even make those anymore?
I thought those things went the way of copper plate photography and arsenic based treatment for syphilis.
I haven't had a computer with a floppy drive in 10 years (or ever if you want to be pedantic about it).

Re:floppy?

[jones_supa]

Verbatim still makes 1.44MB HD floppies. I guess people still need a fair amount of floppies for various niche applications, such as embedded gear or old PCs.

Re:floppy?

[LWATCDR]

Many Steno Machines used by court reporters us Floppies.

Re:floppy?

Hey! I still happily use the Amiga 500 I bought in the late eighties. It uses floppies and I don't intend to part with it anytime soon.

1991 called...

[93+Escort+Wagon]

Nah, too easy.

Re:1991 called...

... and declared "Intel is just a fad. PowerPC is the processor of the future!"

Re:1991 called...

[ChunderDownunder]

1987 called to say the Archimedes will spank any 386SX.

RISC OS is a footnote but ARM is in great shape.

Re: bsd is dead

Prove it

djb switching?

[ConstantineM]

I cannot find a back reference right now, but didn't DJB switch away from FreeBSD to Ubuntu precisely because of the signed packages?

Re:djb switching?

Why do you care so much about a man's personal preferences? Do you wear all black clothing too? If DJB told you to jump off a cliff, would you please do it?

it won't fit?

[X0563511]

I call bullshit:
Copied right from /usr/bin:
"-rwxr-xr-x. 1 person staff 744K Nov 11 2010 gpg"

Packed with upx --best: (note this runtime unpacks, there is no loader library etc)
"-rwxr-xr-x. 1 person staff 327K Jan 19 05:40 gpg"

I should note this is a static binary.

Re:it won't fit?

[ConstantineM]

On i386, OpenBSD 5.4 can be installed from either one of the 3 floppies:

%ftp ftp://ftp.nluug.nl/pub/OpenBSD/5.4/i386/
...
ftp> ls floppy*
150 Here comes the directory listing.
-rw-r--r-- 1 500 450 1474560 Jul 30 18:27 floppy54.fs
-rw-r--r-- 1 500 450 1474560 Jul 30 18:27 floppyB54.fs
-rw-r--r-- 1 500 450 1474560 Jul 30 18:27 floppyC54.fs
226 Directory send OK.

Which one do you use? You'd have to see which one supports your hardware, which is documented in the INSTALL.i386 file, generated from src/distrib/notes/i386/hardware, amongst other files:

Drivers for hardware marked with [A] are NOT included in floppy A.
Drivers for hardware marked with [B] are NOT included in floppy B.
Drivers for hardware marked with [C] are NOT included in floppy C.

In summary, it would seem like OpenBSD is only intended to be boot-strapped from a floppy (e.g. to fetch the rest of the files from the network), and from a single floppy at that. So, even with the licence aside, including something like gnupg is indeed unrealistic and cumbersome.

Re:it won't fit?

Do not be so tempered! 327K is about 23% of HD floppy disk size. That is considerable percentage while competing for media space with essential boot utilities and kernel.

Re:it won't fit?

[Too+Much+Noise]

Even giving it the benefit of the doubt, what would break the process so horribly if a separately packed floppy disk installer does not check signatures (link gpgv to /bin/true for instance) while the other installers do? Floppy users don't lose or gain anything while the rest get the benefit of an untampered source assurance. Or are they also trying to argue that adding signatures won't let the regular installation packages fit on floppy disks?

Re:it won't fit?

OpenBSD's goal is to have security that Just Works, not security that you expect to work but silently fails because you chose the wrong installation medium.

Re:it won't fit?

[Too+Much+Noise]

So by your own admission it's now 'security that *ahem* silently Just Fails to Work on *all* installation media'? Awesome. Having it work on all - 1 (actually all - see below, but what's 1 between internet strangers) will definitely be a huge step back.

Besides, nobody said anything about 'silently failing' - you can put a big red warning sign about it on the download page. Also, you should still check the image signature for that itty bitty tiny floppy install to validate its integrity (as one would do with any install medium), and package sigs can be checked outside the installation procedure anyway. So I'm kind of mystified as to what point you were trying to make.

Overly paranoid

[johnwbyrd]

I started using OpenBSD in 1998. It was a viable, timely competitor to Linux at the time, especially for building firewalls as such.

OpenBSD is a great example of what happens when you make life too difficult for end users and administrators in the name of Security. OpenBSD has never embraced the most recent release of anything -- if it's new, by definition it's insecure and it can't be trusted. Ergo, if you have to demonstrate the latest technology in whatever you're doing, you start with a Linux distribution.

From the article: "We wanted a tool that would fit on installation media, which meant minimizing code size and external dependencies." That's the breakage mode, in a nutshell. NO ONE in the world has been clamoring for an OpenBSD signing tool that runs on a floppy. But the designers are imagining the user requirements based on their own biases. This way lies the death of any commercial or open source software product.

Re:Overly paranoid

And yet OpenBSD is still with us, so they must be doing something right.

Re:Overly paranoid

It's free software, it's not like their going to go out of business. it will always be with us as long as theo deraadt can keep living in his mom's basement.

Re:Overly paranoid

I don't know if you've been paying attention lately, but it's a rather appropriate time to be paranoid.

Re:Overly paranoid

[johnwbyrd]

Yes, and people are developing games for the Sega Dreamcast as well. Existence is not the same as professional viability.

Re:Overly paranoid

OpenBSD has never embraced the most recent release of anything -- if it's new, by definition it's insecure and it can't be trusted.

Which is why I choose OpenBSD. One can choose Linux for this as well, but then you have to start maintaining a set of SELinux rules. If you think that the default SELinux rules are even remotely acceptable, I urge you to stay away from secure systems.

Ergo, if you have to demonstrate the latest technology in whatever you're doing, you start with a Linux distribution.

Building a secure system is not about testing out the latest and coolest technology. It's about being certain that the system is secure. The latest technology is filled with bugs, and enough bugs are later found to be exploitable for that idea to be obviously bad.

NO ONE in the world has been clamoring for an OpenBSD signing tool that runs on a floppy. But the designers are imagining the user requirements based on their own biases.

I am certain that there are OpenBSD users that use floppies to install. Those are most likely among the more careful users, which means that they also would like signed packages. It seems that the OpenBSD developers knows more about their user base than you.

This way lies the death of any commercial or open source software product.

They stick by their conviction that security is relevant and that it can't be patched on in the end. Security is expensive and virtually nobody cares about it, so I agree that they are in the danger zone. That is why de Raadt has urged people to donate.

Re:Overly paranoid

[ls671]

How can it be possible to be "overly paranoid" when it comes to machines hooked up to the Internet?

Re:Overly paranoid

[johnwbyrd]

Okay, so what are you going to do about that paranoia? Use OpenBSD? That's too bad, because the NSA has already inserted cryptospy code into the distribution without Theo's knowledge. Oh, so you'll just compile it yourself from the sources, and read and review them all yourself? Too bad because your compiler has code in it that secretly inserts itself when it detects compilation of the OpenBSD kernel. Oh, but you're going to review all the compiler source code yourself and do a Canadian cross to build a clean compiler which you will then use to build a clean OpenBSD kernel from source? Too bad, because Bernstein has been paid gold in a secret numbered bank account in Thailand to insert a bug that will only manifest when it checks the installation of a new kernel on your machine.

Eventually, you have to put your tinfoil hat away and figure out how to get some work done on that there computer. Paranoia has a useful limit.

Re:Overly paranoid

Sources/citations for any of those? Sounds like you're writing an elaborate work of fiction that has very little to do with OpenBSD or reality.

Re:Overly paranoid

[johnwbyrd]

When you can't run the software that your job requires on them.

Re:Overly paranoid

And you just missed the point entirely.

To belabor it: you aren't critical of the paranoid decisions OpenBSD makes for you(*), but you are of those johnwbyrd makes.

*: i doubt you actually use OpenBSD, but whatever.

Re:Overly paranoid

[johnwbyrd]

Bingo! And the fact that you couldn't perceive that is entirely hilarious.

Re:Overly paranoid

[ls671]

You put that "software" on less secure machines behind reverse-proxies, WAP, traffic analysis software, firewalls etc. which run on OSes designed by overly paranoid people.

Re:Overly paranoid

[mdenham]

It's about being certain that the system is secure.

To ensure system security, install this software on the system.

Then unplug all cables from it that would allow usage of the system by anyone ever, because you cannot ensure the system is secure while users still have access to it.

Re:Overly paranoid

[flyingfsck]

You are not paranoid if they really are out to get you and a large part of the OpenBSD userbase is Government/Military, so that is why.

Re:Overly paranoid

[flyingfsck]

Military IT security motto is: We are not happy until you are not happy.

Re:Overly paranoid

Because i have no clue who john is, and the OpenBSD have a proven track record. (ex desktop openbsd user, still openbsd server user) But if you do not trust them then i suggest you do not use OpenBSD. it is not like its existance is somehow limiting you is it?

Re:Overly paranoid

You are intentionally being an ass. its obvious to anyone into security that perfect security is unobtainable, and when someone does say secure they mean "as secure as we can get while stil doing what we need to get done" (i bet theres someone whos gonna comment how openbsd cant do anything, those same people also like their Windows to come preinstalled with everything so they do not need to configure it for their purpose. TWO ENTIRELY DIFFERENT TARGET GROUPS)

Re:Overly paranoid

If the software is insecure then I do not care the job requires it. secure it or do not install it. otherwise you are a part of the zombie problem.

You sound like one of those people who go to work no matter how sick you are because "i cant afford a sickday" and then get everyone else sick. antisocial selfish people.

Re: Overly paranoid

[citation required]

Re:Overly paranoid

[Burz]

Most updates are for security fixes.

OTOH, security by correctness all by itself never prevented resourceful attackers from compiling their own databases of zero-day exploits. Infrequent updates just means the list is somewhat larger. I can't agree with this concept of security.

I've been using Qubes OS to enhance security and though it incorporates Linux it uses a clever Xen configuration instead of SELinux to harden the system. No rules to maintain, just straightforward domains. The upshot is I can even run Windows in seamless mode and still expose my core system to less risk than an OpenBSD system running native apps.

Re:Overly paranoid

[Burz]

Run whatever software you need on Qubes. Even then your system is likely to be more secure than OpenBSD.

Re:Overly paranoid

But openbsd can't do anything. Installation is a horrible mess. Floppies? Probably even typing? Installation of my computer was super-easy, I didn't have to do anything, the guys at Best Buy must have done it for me. Sweet.

Re: Overly paranoid

http://www.openbsd.org/users.html

Not that i bothered to check if the mentioned ones are in the list, but there is a list BSD "users".

Re:Overly paranoid

It's free software, it's not like their going to go out of business. it will always be with us as long as theo deraadt can keep living in his mom's basement.

Looking at his power bill he might be kicked out soon.

Re:Overly paranoid

Then you still make the assumption that Qubes is less buggy and that its developers have thought through the security more carefully than the OpenBSD-team. As de Raadt said:

x86 virtualization is about basically placing another nearly full kernel, full of new bugs, on top of a nasty x86 architecture which barely has correct page protection. Then running your operating system on the other side of this brand new pile of shit. You are absolutely deluded, if not stupid, if you think that a worldwide collection of software engineers who can't write operating systems or applications without security holes, can then turn around and suddenly write virtualization layers without security holes.

Joanna and her team seem talented, but the software is new and untested.

Re:Overly paranoid

I disagree. The people that need small flock to openbsd without needing to clamour for anything. And, honestly, the ease with which "modern" devs waste my disk space (and RAM, and cycles, and bandwidth) irks me. So I'm quite happy some people still care, even if it's the openbsd people. And floppies? Just a useful and not entirely arbitrary baseline that will occasionally save the day on exotic hardware.

Remember that this is open source run by amateurs in the classic sense: No need to make money off of what they're doing. That means that death is staved off by exactly as long as there's people interested in it. And if those people are interested in using floppies as a baseline, well... that's not going to cause death of the project.

OTOH, not all small is automatically a good idea. 32bit public keys? That's an impersionation attack waiting to happen; trivial to generate 2^33-or-so keys and end up with at least one viable private key for every possible public key.

Re:Overly paranoid

"Overly paranoid" Hahahahahahaha! If you post such crap after wikileaks and Snowden, you are either a fascist from the NSA, or a complete and total moron.

Re:Overly paranoid

[Burz]

Its a philosophical difference: Qubes' approach leans toward security by isolation where the attack surface is greatly reduced. That reduction is enforced by silicon and a baremetal hypervisor. So where correctness is concerned, Qubes needs much less of it to enforce security.

OTOH, OpenBSD is probably not as good at security by correctness as Qubes is at isolation. And if there were ever a need to elevate the standard for correctness to, say, mathematical proofs, a Qubes architecture would take a fraction of the time and effort.

Traditional OS kernels are good at providing useful features, but are no longer the standard-bearers for security. And its good to see Theo recognizes them as buggy (if not for providing features).

 

Joanna and her team seem talented, but the software is new and untested.

If anyone can test and identify the kinds of hardware pitfalls Theo is complaining about, I'm sure Joanna's team (ITL) would be among them. That's what they've done for years (Joanna's blog frequently picks at x86 implementation issues), and now they have an effort to work around those problems. I don't think there is a drop of naivete in them about what PC hardware can do (or how far current designs can be trusted).

Xen itself is well tested, and that is the basis for Qubes security. The parts of Qubes that are untested are very small, indeed, and that status will change before long.

Re:Overly paranoid

[chriscappuccio]

You don't have a fucking clue what you're talking about.

You are wrong on all counts, from making life "too difficult for end users" (OpenBSD is one of the easiest systems to setup routing/firewalling on) to "never embraced the most recent release of anything" (the ports tree is much quicker than most Linux distros) to the idea that OpenBSD's signing tool was designed to be small solely to fit on a floppy. That's not true. It's designed to be small because THERE'S NO REASON FOR IT TO BE LARGE AND HARD TO UNDERSTAND. That's a recipe for disaster.

Re:Overly paranoid

[chriscappuccio]

Amen brother.

Re: Overly paranoid

I also started using OpenBSD in 1998, and I still use it to this day. It may have appeared to be a viable, timely competitor to Linux at the time because Linux users generally knew their way around a shell. As time has progressed, more and more users picking up Linux have been poorly educated in shell use, have been too lazy to self-educate, and have relied on GUI front-ends or community hand-holding to utilize Linux. This now-majority subset of the Linux user base has about as much actual understanding of Linux as they had when they previously used Windows or Mac OS.

OpenBSD has never actually been a competitor to Linux because the OpenBSD project is not interested in pandering to its user base as a "product". It is more accurate to think of OpenBSD as an ongoing security research project that has incidental benefits for its user base and the larger software domain. The reason floppies are so important to the project is because it continues to be developed on esoteric, decades-old hardware (like VAX). This benefits the security research purpose of the project because this obsolete hardware exposes software bugs that modern hardware or emulators of obsolete hardware do not expose. Those bugs are still operative on the modern hardware, though, so the additional exposure footprint offered by the obsolete hardware actually benefits development on the modern platforms.

Coincidentally and despite all of the above, OpenBSD is still a very good competitor to Linux in many applications, especially for building firewalls. I had the misfortune of using Linux iptables a few months ago, and it was disgusting by comparison to OpenBSD's pf. This continued ability of OpenBSD to perform well against Linux in most areas is quite remarkable given that OpenBSD has far, far fewer developers and far, far less financial support than Linux.

The biggest mistake that most of the posters here on Slashdot are making is that they jump to baseless and uninformed assumptions. They assume, like johnwbyrd, that OpenBSD is a software product (it isn't, as I've shown above). They assume that there is no value to a research project keenly devoted to OS security (some basic research into the matter would show otherwise). They assume that Linux is a proper stand-in for such security research (it isn't, because it is too focused on a commercial target defined by its user base).

Most importantly, these outsiders assume that Theo is a difficult and undeserving person because he responds to unrealistic user demands, or low quality developers submissions, with vigourous and direct honesty. They then transpose that incorrect assumption onto the broader OpenBSD project. Anyone who actually follows the OpenBSD mailing lists would see that Theo's responses are merit-based. When people come in and act ignorantly Theo sometimes responds with negative feedback (although other users often do that for him). Ignorant behaviour may manifest, as in this case, where people ignore Theo's request and put forward alternatives demonstrating the posters' ignorance of the project needs, or in other cases where posters seek help on the lists without even putting in a minimal effort to do the research themselves. I don't fault anyone for chastising someone who is too lazy to do a Google search and read a few man pages, instead expecting the user base or developers to work for them for free. Give me a break!

On the other hand, I have often seen Theo or other developers respond to user queries where those users actually demonstrate some initiative, even if they fall short of what would be expected from an educated professional working in the security field. This is quite remarkable considering that Theo and many other OpenBSD developers are experts in their field. Try having a similar quality interaction as a member of the general public with a university researcher that is expert in a given field. More often than not you won't receive any response at all.

It is also important to note that the other developers either support Theo expressly or by

Re:Overly paranoid

So, you are recommending Windows I take it? Because that's the only one that everything I might need to use runs on. Not that I have any issue running Windows, I am forced to at work and personally don't care much for computers these days. But the Linux guys all whining about how OpenBSD sucks is quite hilarious - if only they'd look in the mirror. From a non-IT guy, this whole debate on here looks like jealous children.
If you don't like an OS, don't use it - easy! But why discourage more open source activity even if you don't want to use it? It can only help everyone down the road.

 

Re:Overly paranoid

[101percent]

This is utter bullshit. Do you know how easy it is to connect to a WPA2 network with # ifconfig ? Do you know how easy it is to activate a proven secure httpd, named and other unix services including deployments such as access points and firewalls. Do you really believe iptables is easier than pf? Do you really think selinux is easy? Do you jump on every bandwagon like everyone else and now have all your tweets stored on the library of congress and all your information in the hands of facebook mark "they trust me, dumbfucks" zuckerberg? As Theo says, if you want something new and shiny off the shelf, go get it, but don't come crying later from this mentality of not knowing when to say, "wait maybe this isn't the best idea." What is so "new" that OpenBSD desperately needs? And why do you think they owe it to you? Since when has embracing the most recent release made your life easier or more secure? Would you believe a recent OpenSSH makes you more secure, because OpenBSD is the first to have it, always. Would a new pf make you more secure, because OpenBSD has it, always. What about ipsec, which OpenBSD was first to implement? I can't believe you were upvoted to 5.

Re:Overly paranoid

OpenBSD is a great example of what happens when you make life too difficult for end users and administrators in the name of Security

Congratulations, you've just discovered the #1 priority of OpenBSD.

Re:Overly paranoid

Are you mentally impaired? Honest question, here.

Re:Overly paranoid

Wish I had modpoints. This whole conversation thread is pretty interesting, really.

Re:Overly paranoid

I think the bit about needing to be on a floppy is bit of a red herring in this story which people are obsessing too much about.

So the new code uses some state of the art work by a very well known expert in the encryption space (DJ Bernstein). Some of the work that went into the new framework comes from here: http://nacl.cr.yp.to/ ; the paper to start with is this one: http://cr.yp.to/highspeed/coolnacl-20120725.pdf

The cool thing with this new code vs something like openssl is how small the encryption code is and therefore more auditable. For example see this cool demo: https://twitter.com/TweetNaCl showing what you can fit in 100 tweets. As a side effect, being small means being able to fit on a floppy which the OpenBSD project chooses to continue supporting as an installation method. From my point of view, it's their right to do so and I like the discipline it enforces on code bloat. (It also means some 3rd world countries with access to only ancient computer hand-me-downs still get to potentially use OpenBSD)

The second thing to point out is that although other projects were signing packages for many years, the OpenBSD project always pointed out (rightfully so) that which the mechanics of encryption are dead-easy, the real problem is key management. This is an area that pretty much everyone of the people commenting has completely missed which just shows how incompetent the general slashdot crowd is. I would ask anyone belittling what OpenBSD is doing to assess what their favourite distribution is doing in terms of key management.

From my point of view I continue to be impressed with the work being done on OpenBSD.

PPC? I think not!

Itanium is the way forward

Re:PPC? I think not!

Itanium was the platform where EFI was introduced in order to replace 16bit BIOSes. EFI later became UEFI, which virtually all desktop computers ship with. You were saying?

Re:PPC? I think not!

....UEFI, which virtually all desktop computers ship with.

Begrudgingly, how many workstations these days tout having UEFI and BIOS as a feature so you can go back to BIOS when UEFI doesn't work?

One thing OpenBSD is not is a joke

You might want to rethink that "limited by floppy disk support" or "bad joke."

They obviously aren't since they released the new feature and are still supporting install via floppy. For reference Apple can suck OpenBSD's dick.

I bet you think noone still uses mag-tape storage...

Re:One thing OpenBSD is not is a joke

Floppies are almost exclusively dead. Tape is the only realistic backup media for large-scale, long-term, enterprise archival. It may not be fast, but it's relatively sane to work with and lasts for a long time if you've got an appropriate storage facility. Backups back to 7 years, minimum, etc.. The sort of thing you expect out of a law firm or International MegaCorp Inc.. Still big in the mainframe world.

Floppy discs and the programmers who use them!

[danpbrowning]

Many members are up in arms over the large new utility: "Programmers these days with their fancy new computers and their gigantic 'five and a quarter' new-age magnetic spinning discs are constantly looking down on us 'old-fashioned' punch-card programmers. Why can't they write a new utility that supports six rows of 8-bit EBCDIC? Laziness. This just proves that OpenBSD don't care about small, home-built systems. Sixty four bytes is big enough for anybody."

Re:Floppy discs and the programmers who use them!

[cold+fjord]

You know they aren't really writing large programs since they haven't been forced to use 8" floppies.

Re:Floppy discs and the programmers who use them!

[flyingfsck]

OK, you jest, but I am not: Military/Government is a large part of the OpenBSD userbase. They still use a large number of antiquated and extremely, unbelievably expensive equipment. So it makes sense after all.

Re:Floppy discs and the programmers who use them!

[aliquis]

OK, you jest, but I am not: Military/Government is a large part of the OpenBSD userbase. They still use a large number of antiquated and extremely, unbelievably expensive equipment. So it makes sense after all.

Yeah! Two of their users are within the military!

Re:Floppy discs and the programmers who use them!

[coolsnowmen]

Let's pretend your are right about the Millitary/Government having antiquated expensive equipment using OpenBSD that only has a floppy drive.

Why do they they need to install the newest version on it?

You're wrong.

[fisted]

$ ls -lh `which gpg`
-rwxr-xr-x 1 root wheel 892K Jan 19 06:09 /usr/pkg/bin/gpg
$ file !$
file `which gpg`
/usr/pkg/bin/gpg: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for NetBSD 6.1.2, stripped
$ ldd !$
ldd `which gpg`
/usr/pkg/bin/gpg:
-lintl.1 => /usr/lib/libintl.so.1
-lgcc_s.1 => /usr/lib/libgcc_s.so.1
-lc.12 => /usr/lib/libc.so.12
-lz.1 => /usr/lib/libz.so.1
-lbz2.1 => /usr/lib/libbz2.so.1
$ uname -rsm
NetBSD 6.1.2 amd64

So your statically linked gpg binary is smaller than my dynamically linked gpg binary on the closely related NetBSD.
That does not seem legit, please run the commands I ran, on the not-upx'ed binary and post the results.

Re:You're wrong.

[broken_chaos]

Also important is: which version are you looking at? The 1.4 series (still updated) is intended for smaller/embedded installs, while the 2.x series is intended for mainstream (especially desktop) usage

Re:You're wrong.

[fisted]

$ gpg --version
gpg (GnuPG) 1.4.15

(good call, broken_chaos)

Re:You're wrong.

[stderr_dk]

Also important is: which version are you looking at? The 1.4 series (still updated) is intended for smaller/embedded installs, while the 2.x series is intended for mainstream (especially desktop) usage

It's also important to ask why they are even looking at the main gpg executable and not gpgv?

gpgv is a stripped-down version of gnupg which is only able to check signatures. It is smaller than the full-blown gnupg and uses a different (and simpler) way to check that the public keys used to make the signature are trustworthy.

Re:You're wrong.

[fisted]

good call, I wasn't aware of gogv. It's 340K, but uses the same shared libs

Re:You're wrong.

[fisted]

eh, gpgv

Dupe?

[Nemyst]

I know dupes are a long time Slashdot tradition, so I'm asking: is this a dupe from 1995 or something? Because it sure feels like it.

Re:Dupe?

[abhi_beckert]

It's not a dupe, it's just that everyone installs from source on OpenBSD, so signing the binary never made much sense.

Re:Dupe?

[Burz]

It's not a dupe, it's just that everyone installs from source on OpenBSD, so signing the binary never made much sense.

Yeah, because its realistic for people to be their own code auditors for a whole OS, and for each install and update.

I'm sorry, but this makes OpenBSD users sound like morons. IMO, they shouldn't try to justify the myopia that has lead to this situation.

Re:Dupe?

Yeah, because its realistic for people to be their own code auditors for a whole OS, and for each install and update.

No, it's not realistic to expect people to audit the code, but they can audit the checksums, or the cryptographic signature of the source archive they download.

I'm sorry, but this makes OpenBSD users sound like morons. IMO, they shouldn't try to justify the myopia that has lead to this situation.

IMNSHO you are a moron. You tried to use big words like myopia, but your argument is based on a false premise. OpenBSD users generally download and check the signature for *source* archives which they then compile locally. This is neither myopic, nor moronic. Binary package signing was somewhat moot as a result. Now, more OpenBSD users want to download trusted binary packages and the OpenBSD project continues to oblige them, and now it is also making it safer by signing the official binary packages.

Re:Dupe?

[thogard]

If I compile from source, I can ensure that the binary I have is unlike any other in the world. That has protected my machines in the past so I will keep doing it.

Re:Dupe?

[chriscappuccio]

You're thinking about FreeBSD.

Re:Dupe?

[petrus4]

Yeah, because its realistic for people to be their own code auditors for a whole OS, and for each install and update. It is entirely realistic if you know what you are doing. My default FreeBSD install fits into 65 Mb of RAM. As I have observed before on this site many times; narrow mindedness and aggression have a marked tendency to go together. The more ignorant a person is, the more adamant they usually are about expressing it. Not all of us live according to argumentum ad novitatem.

Theo Theo Theo

I read a story about Theo having a hard time keeping all the servers running and hoped a company would pick up the tab --for no compensation. I know that Theo might be having problems, but then I heard the story of about 3 million ATM's running 12 year old versions of windows that are nearing EOL. I thought about Theo and openBSD. Linus Torvalds has knocked it for everything, except security. Its quite poor (slow, inefficient) at doing just about everything else, except security, and I thought about all those ATMs. An ATM doesn't need much. It needs to read a few inputs, a few drivers for counting money, and it needs a very secure network connection. openBSD is absolutely perfect for use in ATMS. If just 1 bank adopted openBSD for their ATMs, they would likely save Theo's costs, and would likely see wider adoption.

Re:Theo Theo Theo

I read a story about Theo having a hard time keeping all the servers running and hoped a company would pick up the tab --for no compensation.

No compensation besides a pretty rock solid server OS they can modify and use as they see fit you mean?

Those ATM companies could simply pick up OpenBSD for free and make it work. That would put 0 money in Theo's pockets. (and slow+secure is a hell of a lot more useful than fast+insecure when you are directly attached to the internet)

It seems to me you do not really know what you are talking about and just repeating some rumors you have picked up at random uninformed or biased blogs.

Re:Theo Theo Theo

[chriscappuccio]

Slow and secure are not necessarily related. There are cases where OpenBSD is 1-2% slower because of some specific security feature, such as 100% PIE executables, but the real slow downs are from old BSD code which is slowly being reworked to be fast and efficient. There are only so many people and so many minutes in a day to make these improvements.

The general idea on Slashdot that OpenBSD is slow because it's secure is just plain WRONG. It's slow (less and less so, I might add) because it takes time to speed it up and that is a priority for some, not all, developers.

Debian has had it for a while

I'm not as familiary with RedHat or SuSe archives, but I did a little digging over at debian.org.

The debian-archive-keyring package changelog shows an initial release on 10 January 2006, or eight years ago.

Digging deeper, the devscripts changelog shows the signchanges program (now called debsign) was added in July 1999. The changelog entry implies that it was to aid an already existing signing system, so Debian has had it for about 15 years, possibly longer.

Now consider that Debian has a reputation as a late adopter.

Re:Debian has had it for a while

[aliquis]

I think they have been using hashes on source/distribution files in ports (I don't know the pkg stuff work, I don't run it nowadays) and you can use CVS to get the ports system (or OS source) and use SSH for hooking up to the CVS server and show the SSH key fingerprint through CVS.

It doesn't just fetch anything from RapidShare and executes it.

Re:Debian has had it for a while

[petermgreen]

Debian don't sign the binary packages directly (they do sign source packages but that is more as a conviniance to users who get a source package from somewhere other than the repo). Both the upload and download sides of things are now protected by GPG signatures but the two systems are seperate and one is much newer than the other

The "upload" (developer--->repo) side of things is secured by a signature on the "changes" file which describes the upload. The changes file in turn contains secure hashes* of the files that are being uploaded. It has been this way for as long as I can remember**.

the "download" (repo--->user) side of things is secured by signatures on the "Release" files. The release files contain secure hashes of the "Packages" files which in turn contain secure Hashes of the files in the repo. This system was introduced with debian etch (released in 2007 though testing users would have had the functionlity earlier).

* At least md5, usually also sha1 and sha256. AIUI if multiple hashes are present they are all required to match.

Re:bsd is dead

[Burz]

Its dead to me. I've turned my back on more than one project (security software, no less) because the author demanded I take a leap of faith with unsigned code.

Charlatans.

Re:bsd is dead

[ChunderDownunder]

Soon enough if they don't get donations totalling $20,000 to pay their power bill.

http://bsd.slashdot.org/story/14/01/15/1719244/openbsd-looking-at-funding-shortfall-in-2014

Posting by arrogance?

[dbIII]

Seems the above poster knows almost nothing about openbsd, has formed an ignorant opinion and is arrogantly using that to accuse people of arrogance.
A lot of people use ports instead of packages. Packages are seen as the convenient alternative that is the inflexible and insecure way to install things.

Elliptic Curves? Designed by NIST?

I note that the crypto software used, is based on an elliptic curve designed by the NIST.
I am not any kind of crypto guy, but IIRC these elliptic curves rely on some magic constants. No one has ever explained how these magic constants were obtained. There has always been some suspicion, now heightened, that the NSA asked the NIST to deliberately choose constants that would allow the NSA to break the encryption as needed.
So why did DJ Bernstein and Co not design their own elliptic curve?
pgmer6809

Re:Elliptic Curves? Designed by NIST?

They did, you moron. Just like your post is moronic, but not every moronic post is yours, there is an elliptic curve designed by NIST, but NIST didn't invent (and backdoor) every elliptic curve out there.

"25519" in Ed25519 stands for elliptic curve named "curve25519" designed by D.J. Bernstein.

Probably for bootable CDs

[Animats]

This is probably because they want the signature checker to fit in the CD boot loader. For historical reasons, bootable CDs imitate a floppy during the initial boot process, and contain an image of a 1.44MB floppy with a FAT file system. When you boot an PC-type x86 machine from CD, that simulated floppy (the file "floppy54.fs" for OpenBSD) is read by the BIOS and a file from it is executed.

This process is so retro that the initial program loaded is executed in 16-bit X86 mode.

Re: Probably for bootable CDs

[buchanmilne]

But, if you are booting from CDs, and the CD has the rest of the media, why do you need the utility for verifying signatures on the boot media (1.44MB image)? Bootstrap the installation image from the iso9660 part of the CD (or network in the case if a network install)? and have that contain the signature verification utility.

Hint: RPM-baswd distro have been doing this since rpm 3.x, or about 1999.

Really, who uses floppies for installation these days? Sure, maybe floppy emulation on a DRAC or iLO or ILOM, but they all
-support CDROM or DVD emulation
-PXE boot (with relatively large images possible via TFTP)

If none of these are options, just write the whole (hybrid) ISO image to a 4GB USB flash disk and be done with it.

I personally haven't used an actual CD-RW or DVD to install a syatem in about 5 years. Either network install booted via PXE for servers, or USB flash disk for laptops.

Re:Probably for bootable CDs

[petermgreen]

This is probably because they want the signature checker to fit in the CD boot loader. For historical reasons [mit.edu], bootable CDs imitate a floppy during the initial boot process, and contain an image of a 1.44MB floppy with a FAT file system.

Bootable CDs can emulate a floppy during boot but that is not the only supported boot method.

This process is so retro that the initial program loaded is executed in 16-bit X86 mode.

That's just PC BIOS booting in general though, not really much different from booting off any other media. It does mean your first state bootloader has to be small though

2020 called

[dbIII]

And asked why so many commercial operating systems still have nothing as advanced as the ZFS on *bsd in 2014.
It will take than long to get a greatly improved MS system win10, Windows RAP or whatever they want to call it.
It makes a grown man cry.

Re:2020 called

What is this "Windows" you speak of?

-- 2025

Re:2020 called

[fast+turtle]

We are the Borg - your Technological and Ecological diversity will be added to the collective. Resistence is Futile.

We are Microsoft. You are using an unlicensed copy of Windows 3000. Your computers will now shutdown due to failing product activation. Good Day.

Re:bsd is dead

[fisted]

Its dead to me. I've turned my back on more than one project (security software, no less) because the author demanded I take a leap of faith with unsigned code.

Whatever you're talking about, it seems to have little to do with the matter being discussed.

no end to hapiness

[dimko]

All 2 users of floppy drives were very happy, rest 5 didn't care.

arc4random

I hope they're not actually using RC4 in any capacity anymore. (It's referenced in that code.)

ChaCha20 would be a suitable drop-in replacement.

Re:arc4random

[chriscappuccio]

Indeed, arc4random is ChaCha20-based in OpenBSD 5.5.

build from source

I'm surprised that this wasn't implemented a long time ago. Even Windows has had signed code for quiet some time.

This is a good step forward, but the main reason it probably wasn't done earlier is because most folks build from source on the BSDs. When the tarball is fetched, its checksum is verified on download:

http://www.openbsd.org/cgi-bin/cvsweb/ports/archivers/bzip2/distinfo?rev=1.8
http://svnweb.freebsd.org/ports/head/archivers/bzip2/distinfo?revision=300895&view=markup

You then do a "make package" to build the binary package locally (with any options you want), and install from there.

Now add deterministic builds...

Signed packages are great. Now several projects are moving to "deterministic builds" and one can only hope the pace quickens.

Deterministic builds allows compiling on different machines (even potentially compromised ones) and verify that the end-results are identical (hence lowering the probability that they've been "tainted" by backdoored compiler/OS/hardware during compilation/build).

This *is* the future. And we're gonna get there.

Too expensive

[tiagosousa]

Won't this increase their electricity bill?

Re:Too expensive

[chriscappuccio]

Signing with pkg_add+signify was designed to add negligible time to the package building process. It was carefully incorporated to this end. And, works quite nicely.

Nice example of source code (for open source)

Except for the preamble, not a single fucking comment in the entire source file.
Way to go....
I am sure it will be easily maintainable by someone else in the future and they won't make any mistakes..

Disk vs Disc

And here the whole time I though disk was the short form of Computer Diskette as a portable media. As the compact disc was a compact version of the laser disc media it replaced. Lets not get into an argument over Dvd being digital video disc as we all know video is now not the only thing that is stored on it.

Where's my OpenBBQ? I'm starving!

I already have heard about a lawyer who got into computation, but certainly because he got screwd with drugs or somehting worse, since the guy was slow, pratically a retart. As where I live, if someone get arrested by anything, You can't get a public service anywhere, neither private because most of law firms will analyse the applicant's back story.

Re:bsd is dead

So you never used or head of ports? No sir, you are the charlatan, passing yourself as someone knowledgeable.

Re:Archimedes may be dead...

But ARM may live on because of economics, like how intel won because in the 90's because of economics!

Where do they get floppy disks!?

I haven't seen a floppy disk for sale in well over a decade. Most major stores don't even sell DVD blanks.

Old hardware for extra security

With all this talk about NSA's fingers getting into computers at the hardware level, wouldn't you prefer your ultra-secure system to date back to before the Patriot Act at the very least?

Party like it's 1999

[ebvwfbw]

Great. Glad they did it.

Finally. BSD is just up to the late 1990s. RedHat had their RPM in 1997 and I think by 1999 even Microsoft signed their stuff. If it weren't for the done for FREE port for Apple, I think it would have died years ago.

Bring more stuff into the kernel and maybe I'll consider trying it again.

Package signatures were supported since 2010

[ConstantineM]

For what it's worth, it would seem like [a different kind of?] a package signature system was actually supported since 2010, it's just that the official packages were never signed.

http://www.openbsd.org/faq/faq15.html#PkgSig

Revision 1.71:
Sat Jul 17 09:02:47 2010 UTC (3 years, 6 months ago) by ajacoutot
Changes since revision 1.70: +65 -1 lines

Add a "Package signatures" section to teach people how to create and use
signed packages. Still opened for enhancement but all info is there now.

Floppy Disc???

gosgog:

FLOPPY DISCS HA! HA! HA! do you have outdoor plumbing too? & How about the Sears Catalog in it, bet you walked to school and had no shoes too!