Slashdot Mirror

← Back to Stories (view on slashdot.org)

OpenBSD Moving Towards Signed Packages — Based On D. J. Bernstein Crypto

Posted by Soulskill on from the those-signatures-will-be-worth-a-lot-of-money-some-day dept.

ConstantineM writes "It's official: 'we are moving towards signed packages,' says Theo de Raadt on the misc@ mailing list. This is shortly after a new utility, signify, was committed into the base tree. The reason a new utility had to be written in the first place is that gnupg is too big to fit on the floppy discs, which are still a supported installation medium for OpenBSD. Signatures are based on the Ed25519 public-key signature system from D. J. Bernstein and co., and his public domain code once again appears in the base tree of OpenBSD, only a few weeks after some other DJB inventions made it into the nearby OpenSSH as well."

8 of 232 comments (clear)

  1. Very surprised that it took this long by ModernGeek · · Score: 4, Insightful

    I'm surprised that this wasn't implemented a long time ago. Even Windows has had signed code for quiet some time.

    --
    Sig: I stole this sig.
    1. Re:Very surprised that it took this long by Anonymous Coward · · Score: 5, Insightful

      I'm just bothered that such a decision was made based off of the arbitrary capacity of a floppy diskette. The Floppy-based installer should compensate by having it fit across multiple disks and stored into RAM, or some other solution. What's next? Something won't run on a machine with less than 8MB of RAM, so it will be shoved off?

    2. Re:Very surprised that it took this long by cold+fjord · · Score: 3, Insightful

      So, do you have a timeline for when other *BSD and Linux distributions switched to signed packages? It looks to me that FreeBSD only started that move at the end of October, and doesn't appear to be there yet. I don't think I would call that a "crushing" lead.

      There wouldn't happen to be some trolling going on with your post, is there? Especially the "security by arrogance" bit?

      Thu Oct 31 02:10:33 UTC 2013

      Pkg 1.2 will be released in the coming month which will bring many
      improvements including officially signed packages. FreeBSD 10's pkg
      bootstrap now also supports signed pkg(8) installation.
       

      --
      much of left-wing thought is a kind of playing with fire by people who don't even know that fire is hot - George Orwell
    3. Re:Very surprised that it took this long by Sean · · Score: 3, Insightful

      And how exactly do you get the OS and compilers to build the source code with?

    4. Re:Very surprised that it took this long by Kjella · · Score: 4, Insightful

      Theo is the same that he's been for the last 20 years, on the one hand he's militant about the BSD license which gives away all the code to multi-billion corporations then a giant crybaby when the same corporations take the code and give him nothing but a cold shoulder in return. Oddly enough he's managed to gather a small following which barely keeps OpenBSD alive, usually by threatening to shut down OpenSSH development which is their only true success but this is neither the first nor the last time he's making such ultimatums.

      If Linus is the benevolent dictator for life, Theo is the not-so-benevolent dictator for life. He started OpenBSD so he could run the show and any oppositition is harshly cut down. Don't argue with him about how the project's managed, what costs are necessary, everything is as Theo has decided it should be and he's only complaining that nobody is willing to fund his masterpiece. Your input is not wanted, just your wallet and he treats everyone from the smallest individual contributor to giant corporations the same. He's got balls of steel and an ego the size of a planet, but in the end he'll always be going around with a beggar's cup.

      --
      Live today, because you never know what tomorrow brings
  2. Re:Floppy disks? by Anonymous Coward · · Score: 3, Insightful

    And when you want to use a hopelessly antiquated computer for something, OpenBSD will be there for you.

  3. Re:Floppy disks? by gwolf · · Score: 5, Insightful

    No, it won't make much sense even with that in mind. Even less, in fact.

    Embedded systems are usually factory-installed. In the factory, they don't do the installs via floppies. Most OpenBSD installs today are done off their (very good!) CD-ROM media, or maybe even more, by USB.

    Floppy disks are used for a tiny percentage of installs (yes, even of *their* installs). Alright, they don't want to dump very old architectures that are known to work and have no other acceptable bood medium, but in the end... Basing the entire OS in the least common denominator takes a toll on the general usability of the system in everyday settings.

  4. Re: Probably for bootable CDs by buchanmilne · · Score: 3, Insightful

    But, if you are booting from CDs, and the CD has the rest of the media, why do you need the utility for verifying signatures on the boot media (1.44MB image)? Bootstrap the installation image from the iso9660 part of the CD (or network in the case if a network install)? and have that contain the signature verification utility.

    Hint: RPM-baswd distro have been doing this since rpm 3.x, or about 1999.

    Really, who uses floppies for installation these days? Sure, maybe floppy emulation on a DRAC or iLO or ILOM, but they all
    -support CDROM or DVD emulation
    -PXE boot (with relatively large images possible via TFTP)

    If none of these are options, just write the whole (hybrid) ISO image to a 4GB USB flash disk and be done with it.

    I personally haven't used an actual CD-RW or DVD to install a syatem in about 5 years. Either network install booted via PXE for servers, or USB flash disk for laptops.