Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Re: integrity of commercial CD set

From: Enos D'Andrea (temp4282138782edlabs.it)
Date: Thu Jan 15 2015 - 00:27:08 CST

On 14/01/2015 17:03, martinmartinbrandenburg.com wrote:
> [...] you trust Theo and OpenBSD because you have no better option.
> Don't pretend you increase your security by proving the software came
> from a source you can't prove is trustworthy. [...]

More than Theo himself, what makes me trust OpenBSD is its stable,
clean, open and essential code reviewed by a very skilled community.
That's why I go the extra mile(s) to ensure running *that* code.


> Security is about pushing attacks out of your attackers' ability or
> price range. [...] Are you willing to go to the effort that defending
> against your outlined attack requires?

Being my current line of work, yes. Not that I or my clients have
anything malicious to hide, but some government agencies and vendors
seem to have lost touch with reality and/or ethics.

The discussion went off topic. I was just after signed CD checksums, to
raise the security of my physical delivery on par with that of the
source code. Never mind: I will make do with downloading an ISO, while
the kid within me enjoys the boxed CD set (which, save missing CD
checksums for paranoid security people, is very nice indeed).


Many thanks to Theo and the others for your advice and opinions.


Enos D'Andrea