Beta

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

OpenBSD Moving Towards Signed Packages — Based On D. J. Bernstein Crypto

Soulskill posted about 6 months ago | from the those-signatures-will-be-worth-a-lot-of-money-some-day dept.

Encryption 232

ConstantineM writes "It's official: 'we are moving towards signed packages,' says Theo de Raadt on the misc@ mailing list. This is shortly after a new utility, signify, was committed into the base tree. The reason a new utility had to be written in the first place is that gnupg is too big to fit on the floppy discs, which are still a supported installation medium for OpenBSD. Signatures are based on the Ed25519 public-key signature system from D. J. Bernstein and co., and his public domain code once again appears in the base tree of OpenBSD, only a few weeks after some other DJB inventions made it into the nearby OpenSSH as well."

cancel ×

232 comments

Sorry! There are no comments related to the filter you selected.

Very surprised that it took this long (4, Insightful)

ModernGeek (601932) | about 6 months ago | (#46002889)

I'm surprised that this wasn't implemented a long time ago. Even Windows has had signed code for quiet some time.

Re:Very surprised that it took this long (5, Insightful)

Anonymous Coward | about 6 months ago | (#46002899)

I'm just bothered that such a decision was made based off of the arbitrary capacity of a floppy diskette. The Floppy-based installer should compensate by having it fit across multiple disks and stored into RAM, or some other solution. What's next? Something won't run on a machine with less than 8MB of RAM, so it will be shoved off?

Re:Very surprised that it took this long (0)

Anonymous Coward | about 6 months ago | (#46002907)

At least you spelled disk the right way.... A floppy disc would have a hard time loading into a CD tray.

Re:Very surprised that it took this long (2)

sumdumass (711423) | about 6 months ago | (#46003111)

Nah. the floppy discs work just fine. I remember getting them with cereal boxes in the mid to late 90s. You could do about anything other then fold them in half and they would still work for a while. After about 20 uses, you needed another though.

http://en.wikipedia.org/wiki/Chex_Quest [wikipedia.org]

Here is an example. I think they were made of cardboard but some were made out of the plastic like what you would see on a floppy cutting board. Usually they were part of the box and you needed to cut them out in order to use them.

Re:Very surprised that it took this long (2, Informative)

Anonymous Coward | about 6 months ago | (#46003373)

"Disc" is how English speakers outside the US spell the word describing a round, flat object. The reason one item is referred to as a "floppy disk" and one as a "compact disc" is simply their origin. The Compact Disc was developed by a Philips/Sony team, companies located in the Netherlands and Japan respectively. The floppy disk was developed by US based IBM.

Re: Very surprised that it took this long (0)

Anonymous Coward | about 6 months ago | (#46003547)

i'm bothered by the fact that you feel the capacity of a floppy disk is arbitrary. If the HDD makers get wind of this we are all in trouble.
I mean nobody cares anymore that they round up to 00000's and give us some crap about binary vs decimal, cause hard drives are so big now. But if you think i'm gonna buy a hard drive with some arbitrary number of bytes, or bits and not even know till i plug it in?
Man, you are the devil !

Re:Very surprised that it took this long (2, Interesting)

Anonymous Coward | about 6 months ago | (#46002919)

OpenBSD is security by arrogance: nobody cares much to pay any attention to it, and anyone who comes with good intentions gets shouted down.

Distributing unsigned packages in 2014 shows such a lack of concern for even the most basic risks facing administrators and end users that I can only assume it was intentional.

Re:Very surprised that it took this long (4, Informative)

fisted (2295862) | about 6 months ago | (#46003185)

Wrong. Using binary package is just considered not the right way to do things, in OpenBSD land.
What you do is, check out the source repository, which does make sure the data you get hasn't been tampered with, then build it from source.
For mass deployments, you can then create binary packages from the result (secure distribution to other machines is your job, however. although that typically isn't much of a concern since it usually happens on the local network.

IOW, your comment is pure BS.

Re:Very surprised that it took this long (3, Insightful)

Sean (422) | about 6 months ago | (#46003449)

And how exactly do you get the OS and compilers to build the source code with?

Re:Very surprised that it took this long (0)

Anonymous Coward | about 6 months ago | (#46003487)

Linux based bios

Re:Very surprised that it took this long (1)

fisted (2295862) | about 6 months ago | (#46003681)

Those "probably" (read: as is the case for any other OS) come with the installation media, which is an entirely different matter.

Re:Very surprised that it took this long (3, Insightful)

cold fjord (826450) | about 6 months ago | (#46003207)

So, do you have a timeline for when other *BSD and Linux distributions switched to signed packages? It looks to me that FreeBSD only started that move at the end of October, and doesn't appear to be there yet. I don't think I would call that a "crushing" lead.

There wouldn't happen to be some trolling going on with your post, is there? Especially the "security by arrogance" bit?

Thu Oct 31 02:10:33 UTC 2013 [freebsd.org]

Pkg 1.2 will be released in the coming month which will bring many
improvements including officially signed packages. FreeBSD 10's pkg
bootstrap now also supports signed pkg(8) installation.
 

Re:Very surprised that it took this long (5, Informative)

Anonymous Coward | about 6 months ago | (#46003521)

Majority of Linux installations use RPM or APT, and those had GPG signing since ~2005.

Debian has had it for a while (4, Informative)

Anonymous Coward | about 6 months ago | (#46003567)

I'm not as familiary with RedHat or SuSe archives, but I did a little digging over at debian.org.

The debian-archive-keyring package changelog shows an initial release on 10 January 2006, or eight years ago.

Digging deeper, the devscripts changelog shows the signchanges program (now called debsign) was added in July 1999. The changelog entry implies that it was to aid an already existing signing system, so Debian has had it for about 15 years, possibly longer.

Now consider that Debian has a reputation as a late adopter.

Re:Very surprised that it took this long (0)

Anonymous Coward | about 6 months ago | (#46003595)

Don't forget that they make high level decisions based on floppy disk support in 2014.

Posting by arrogance? (1)

dbIII (701233) | about 6 months ago | (#46003641)

Seems the above poster knows almost nothing about openbsd, has formed an ignorant opinion and is arrogantly using that to accuse people of arrogance.
A lot of people use ports instead of packages. Packages are seen as the convenient alternative that is the inflexible and insecure way to install things.

Re:Very surprised that it took this long (1)

citizenr (871508) | about 6 months ago | (#46003763)

It doesnt have to be secure, nobody uses openbsd outright.
It exists solely for the purpose of begging for donations while at the same time letting big corporations take its code and include in their products without giving back.

Re:Very surprised that it took this long (4, Interesting)

hairyfeet (841228) | about 6 months ago | (#46003591)

Well considering the fact that OpenBSD is in danger of shutting down due to lack of funding [osnews.com] I really don't think starting this NOW is the greatest of ideas. Click on the comments to the article I linked to and they have a letter from de Raadt berating some for daring! to suggest that they might not ought to support a shitload of ancient formats like VAX if they are losing THAT much cash so I'd be amazed if they are here next year.

I'm sure I'll get hate from the *BSD fans but truth is truth and when you are bleeding cash like that you can NOT just give everyone a bad attitude and a "we deserve this", not when you are counting on those same people to support you. Either de Raadt stops running that huge mound of servers or they bleed to death, simple as that. And from the looks of that letter he'd be perfectly happy with it being the latter if it means giving an inch otherwise. Sorry guys but I've dealt with "never give an inch" types in business and in my exp they usually end up bankrupt. The wise owner rolls with the punches and accepts there is gonna be downturns, the arrogant owner says "I deserve it all" and runs the company into the ground.

Re:Very surprised that it took this long (1)

dbIII (701233) | about 6 months ago | (#46003653)

If they go under that just means no conference and having to beg server space from someone. Volunteer groups go over the edge all the time and comparing them to a business is pointless since the aims are very different.

First! (-1)

Anonymous Coward | about 6 months ago | (#46002891)

Ahhhhh!

I tried signing mine (0)

Anonymous Coward | about 6 months ago | (#46002893)

But I found that the marker caused some skin irritation. Anyone else find this, or figure out a good treatment?

Re:I tried signing mine (0)

Anonymous Coward | about 6 months ago | (#46003577)

Yeah but I highly doubt you'd have trouble fitting your package into a floppy.

Bernstein is a charlatan (-1)

Anonymous Coward | about 6 months ago | (#46002905)

Did DJB actually invent something this time, or did he stamp his name on a traditional idea and claim vehemently that he invented it, like he usually does?

bsd is dead (-1)

Anonymous Coward | about 6 months ago | (#46002915)

How long before the bsd is dead pasta is posted?

Re: bsd is dead (0)

Anonymous Coward | about 6 months ago | (#46003039)

Prove it

Re:bsd is dead (0)

Burz (138833) | about 6 months ago | (#46003569)

Its dead to me. I've turned my back on more than one project (security software, no less) because the author demanded I take a leap of faith with unsigned code.

Charlatans.

Re:bsd is dead (1)

fisted (2295862) | about 6 months ago | (#46003691)

Its dead to me. I've turned my back on more than one project (security software, no less) because the author demanded I take a leap of faith with unsigned code.

Whatever you're talking about, it seems to have little to do with the matter being discussed.

First thought upon seeing the headline: (5, Funny)

macraig (621737) | about 6 months ago | (#46002923)

What does openBSD have to do with tattooing your Johnson?

Re:First thought upon seeing the headline: (0)

Anonymous Coward | about 6 months ago | (#46002953)

You can whack off in safety knowing that your OpenBSD box is secure because nothing runs on it except DJB software.

Re:First thought upon seeing the headline: (1)

cold fjord (826450) | about 6 months ago | (#46003213)

They don't have much of a budget for advertising.

Re:First thought upon seeing the headline: (0)

Anonymous Coward | about 6 months ago | (#46003245)

Get yourself a nice, satisfied looking Puffy there and the ladies will never look you the same afterwards.

Re:First thought upon seeing the headline: (2)

Megahard (1053072) | about 6 months ago | (#46003513)

That's why it has to fit on a floppy.

Re:First thought upon seeing the headline: (0)

Anonymous Coward | about 6 months ago | (#46003741)

One of the funniest /. comments I've ever read, especially with that name...

openbsd is comprimised by NSA (-1)

Anonymous Coward | about 6 months ago | (#46002959)

he took US government money and then they made up a fake story about him having the money pulled but lets face it...

Re:openbsd is comprimised by NSA (0)

Anonymous Coward | about 6 months ago | (#46002975)

DJB accepted NSF grants?!!

Floppy disks? (2, Interesting)

thue (121682) | about 6 months ago | (#46002977)

Being limited by floppy disk support requirement sounds like a bad joke. Is that really relevant for any computer which is not hopelessly antiquated in 2014? For reference, Apple stopped shipping floppy disk drives by default in 1998.

Re:Floppy disks? (3, Insightful)

Anonymous Coward | about 6 months ago | (#46003027)

And when you want to use a hopelessly antiquated computer for something, OpenBSD will be there for you.

Re:Floppy disks? (0)

Anonymous Coward | about 6 months ago | (#46003701)

Yeah. But until that time comes, let's keep making fun of it!

Re:Floppy disks? (1)

Daniel_Staal (609844) | about 6 months ago | (#46003083)

Well, I haven't followed the discussion, but I do know that one of OpenBSD's major markets is basically semi-embedded systems: Firewalls and routers. It's likely they won't have much in the way of external storage attachment, or much in the way of internal storage at all. Given that, it might make sense. I don't know.

Re:Floppy disks? (5, Insightful)

gwolf (26339) | about 6 months ago | (#46003171)

No, it won't make much sense even with that in mind. Even less, in fact.

Embedded systems are usually factory-installed. In the factory, they don't do the installs via floppies. Most OpenBSD installs today are done off their (very good!) CD-ROM media, or maybe even more, by USB.

Floppy disks are used for a tiny percentage of installs (yes, even of *their* installs). Alright, they don't want to dump very old architectures that are known to work and have no other acceptable bood medium, but in the end... Basing the entire OS in the least common denominator takes a toll on the general usability of the system in everyday settings.

Re:Floppy disks? (1)

Daniel_Staal (609844) | about 6 months ago | (#46003205)

I said semi-embedded for a reason: I'm more thinking of hobiest/custom firewalls and routers. The ones from the factory tend to run a version of Linux or PFSense - But you can get similar devices from manufacturers without an OS that you can install your own OS onto.

Not that I'm sure I disagree with you. Just trying to think of a rational reason and give them the benefit of the doubt. However hard that is.

Re:Floppy disks? (1)

TarPitt (217247) | about 6 months ago | (#46003481)

As far as OpenBSD is concerned, "the general usability of the system in everyday settings" is the bottom priority.

No, in fact the lack of general usability is a goal OpenBSD strives for.

Be grateful they aren't still using punched paper tape for installs.

Re:Floppy disks? (0)

Anonymous Coward | about 6 months ago | (#46003395)

Halp! I can't find my router's floppy disc drive. What do? Please advise! :^D

p.s. I got rid of my last PC with a floppy drive about 5 years ago.

Re:Floppy disks? (0)

Anonymous Coward | about 6 months ago | (#46003441)

And i still use floppy drives because it makes it dead simple to install OpenBSD.

What was your point again? ah yes _you_ personally have no need for this so nobody else should have the option available.

Re:Floppy disks? (0)

Anonymous Coward | about 6 months ago | (#46003621)

The point was the GGP implied the need for a floppy-disc installer was for routers.
WHOOSH.

Re:Floppy disks? (0)

Anonymous Coward | about 6 months ago | (#46003755)

Routers often run on actual server hardware with plenty of options to attach different drives. Routers are far from all "a little blinking box in the corner". No wooshing sound whatsoever here. (that the grandparent also seems to get this wrong as if routers/firewalls have to be tiny embedded systems does not excuse anyone). Then you have VMs where you just attach a floppyimage and have it download the updated system from an internal build machine. So many options - so little WOOSH sound

Re:Floppy disks? (0)

Anonymous Coward | about 6 months ago | (#46003197)

You're right, maybe we should accept that times are changing. OS installation in a security and mission critical environment should be done by USB. Or even a direct Internet connection. Inspecting the content that is being installed and verifying that the installation medium contains exactly what it should sounds uncool.

What could possibly need more security than a computer used to draw pretty pictures on?

One thing OpenBSD is not is a joke (0)

Anonymous Coward | about 6 months ago | (#46003215)

You might want to rethink that "limited by floppy disk support" or "bad joke."

They obviously aren't since they released the new feature and are still supporting install via floppy. For reference Apple can suck OpenBSD's dick.

I bet you think noone still uses mag-tape storage...

Re:One thing OpenBSD is not is a joke (1)

Anonymous Coward | about 6 months ago | (#46003421)

Floppies are almost exclusively dead. Tape is the only realistic backup media for large-scale, long-term, enterprise archival. It may not be fast, but it's relatively sane to work with and lasts for a long time if you've got an appropriate storage facility. Backups back to 7 years, minimum, etc.. The sort of thing you expect out of a law firm or International MegaCorp Inc.. Still big in the mainframe world.

Re:Floppy disks? (1)

dbIII (701233) | about 6 months ago | (#46003665)

Being limited by floppy disk support requirement sounds like a bad joke

Why are you making it then? Out of the dozen machines I've put *bsd on there is only one that had a floppy disk drive. I installed via USB on that one just like all the others.

floppy? (0)

Anonymous Coward | about 6 months ago | (#46002991)

Do they even make those anymore?
I thought those things went the way of copper plate photography and arsenic based treatment for syphilis.
I haven't had a computer with a floppy drive in 10 years (or ever if you want to be pedantic about it).

Re:floppy? (1)

jones_supa (887896) | about 6 months ago | (#46003673)

Verbatim still makes 1.44MB HD floppies. I guess people still need a fair amount of floppies for various niche applications, such as embedded gear or old PCs.

1991 called... (1)

93 Escort Wagon (326346) | about 6 months ago | (#46003021)

Nah, too easy.

Re:1991 called... (0)

Anonymous Coward | about 6 months ago | (#46003063)

... and declared "Intel is just a fad. PowerPC is the processor of the future!"

PPC? I think not! (0)

Anonymous Coward | about 6 months ago | (#46003157)

Itanium is the way forward

Re:PPC? I think not! (1)

Anonymous Coward | about 6 months ago | (#46003401)

Itanium was the platform where EFI was introduced in order to replace 16bit BIOSes. EFI later became UEFI, which virtually all desktop computers ship with. You were saying?

Re:1991 called... (1)

ChunderDownunder (709234) | about 6 months ago | (#46003649)

1987 called to say the Archimedes will spank any 386SX.

RISC OS is a footnote but ARM is in great shape.

2020 called (1)

dbIII (701233) | about 6 months ago | (#46003687)

And asked why so many commercial operating systems still have nothing as advanced as the ZFS on *bsd in 2014.
It will take than long to get a greatly improved MS system win10, Windows RAP or whatever they want to call it.
It makes a grown man cry.

djb switching? (1)

ConstantineM (965345) | about 6 months ago | (#46003085)

I cannot find a back reference right now, but didn't DJB switch away from FreeBSD to Ubuntu precisely because of the signed packages?

Re:djb switching? (0)

Anonymous Coward | about 6 months ago | (#46003113)

Why do you care so much about a man's personal preferences? Do you wear all black clothing too? If DJB told you to jump off a cliff, would you please do it?

it won't fit? (2)

X0563511 (793323) | about 6 months ago | (#46003101)

I call bullshit:
Copied right from /usr/bin:
"-rwxr-xr-x. 1 person staff 744K Nov 11 2010 gpg"

Packed with upx --best: (note this runtime unpacks, there is no loader library etc)
"-rwxr-xr-x. 1 person staff 327K Jan 19 05:40 gpg"

I should note this is a static binary.

Re:it won't fit? (1)

ConstantineM (965345) | about 6 months ago | (#46003285)

On i386, OpenBSD 5.4 can be installed from either one of the 3 floppies:

%ftp ftp://ftp.nluug.nl/pub/OpenBSD/5.4/i386/ [nluug.nl]
...
ftp> ls floppy*
150 Here comes the directory listing.
-rw-r--r-- 1 500 450 1474560 Jul 30 18:27 floppy54.fs
-rw-r--r-- 1 500 450 1474560 Jul 30 18:27 floppyB54.fs
-rw-r--r-- 1 500 450 1474560 Jul 30 18:27 floppyC54.fs
226 Directory send OK.

Which one do you use? You'd have to see which one supports your hardware, which is documented in the INSTALL.i386 file, generated from src/distrib/notes/i386/hardware [bxr.su] , amongst other files:

Drivers for hardware marked with [A] are NOT included in floppy A.
Drivers for hardware marked with [B] are NOT included in floppy B.
Drivers for hardware marked with [C] are NOT included in floppy C.

In summary, it would seem like OpenBSD is only intended to be boot-strapped from a floppy (e.g. to fetch the rest of the files from the network), and from a single floppy at that. So, even with the licence aside, including something like gnupg [ports.su] is indeed unrealistic and cumbersome.

You're wrong. (1)

fisted (2295862) | about 6 months ago | (#46003287)

$ ls -lh `which gpg`
-rwxr-xr-x 1 root wheel 892K Jan 19 06:09 /usr/pkg/bin/gpg
$ file !$
file `which gpg`
/usr/pkg/bin/gpg: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for NetBSD 6.1.2, stripped
$ ldd !$
ldd `which gpg`
/usr/pkg/bin/gpg:
-lintl.1 => /usr/lib/libintl.so.1
-lgcc_s.1 => /usr/lib/libgcc_s.so.1
-lc.12 => /usr/lib/libc.so.12
-lz.1 => /usr/lib/libz.so.1
-lbz2.1 => /usr/lib/libbz2.so.1
$ uname -rsm
NetBSD 6.1.2 amd64


So your statically linked gpg binary is smaller than my dynamically linked gpg binary on the closely related NetBSD.
That does not seem legit, please run the commands I ran, on the not-upx'ed binary and post the results.

Re:You're wrong. (1)

broken_chaos (1188549) | about 6 months ago | (#46003415)

Also important is: which version are you looking at? The 1.4 series (still updated) is intended for smaller/embedded installs, while the 2.x series is intended for mainstream (especially desktop) usage

Re:You're wrong. (1)

fisted (2295862) | about 6 months ago | (#46003735)

$ gpg --version
gpg (GnuPG) 1.4.15


(good call, broken_chaos)

Re:it won't fit? (0)

Anonymous Coward | about 6 months ago | (#46003731)

Do not be so tempered! 327K is about 23% of HD floppy disk size. That is considerable percentage while competing for media space with essential boot utilities and kernel.

Overly paranoid (5, Interesting)

johnwbyrd (251699) | about 6 months ago | (#46003117)

I started using OpenBSD in 1998. It was a viable, timely competitor to Linux at the time, especially for building firewalls as such.

OpenBSD is a great example of what happens when you make life too difficult for end users and administrators in the name of Security. OpenBSD has never embraced the most recent release of anything -- if it's new, by definition it's insecure and it can't be trusted. Ergo, if you have to demonstrate the latest technology in whatever you're doing, you start with a Linux distribution.

From the article: "We wanted a tool that would fit on installation media, which meant minimizing code size and external dependencies." That's the breakage mode, in a nutshell. NO ONE in the world has been clamoring for an OpenBSD signing tool that runs on a floppy. But the designers are imagining the user requirements based on their own biases. This way lies the death of any commercial or open source software product.

Re:Overly paranoid (1)

Anonymous Coward | about 6 months ago | (#46003161)

And yet OpenBSD is still with us, so they must be doing something right.

Re:Overly paranoid (0)

Anonymous Coward | about 6 months ago | (#46003173)

It's free software, it's not like their going to go out of business. it will always be with us as long as theo deraadt can keep living in his mom's basement.

Re:Overly paranoid (1)

johnwbyrd (251699) | about 6 months ago | (#46003195)

Yes, and people are developing games for the Sega Dreamcast as well. Existence is not the same as professional viability.

Re:Overly paranoid (0)

Anonymous Coward | about 6 months ago | (#46003175)

I don't know if you've been paying attention lately, but it's a rather appropriate time to be paranoid.

Re:Overly paranoid (3, Funny)

johnwbyrd (251699) | about 6 months ago | (#46003283)

Okay, so what are you going to do about that paranoia? Use OpenBSD? That's too bad, because the NSA has already inserted cryptospy code into the distribution without Theo's knowledge. Oh, so you'll just compile it yourself from the sources, and read and review them all yourself? Too bad because your compiler has code in it that secretly inserts itself when it detects compilation of the OpenBSD kernel. Oh, but you're going to review all the compiler source code yourself and do a Canadian cross to build a clean compiler which you will then use to build a clean OpenBSD kernel from source? Too bad, because Bernstein has been paid gold in a secret numbered bank account in Thailand to insert a bug that will only manifest when it checks the installation of a new kernel on your machine.

Eventually, you have to put your tinfoil hat away and figure out how to get some work done on that there computer. Paranoia has a useful limit.

Re:Overly paranoid (0)

Anonymous Coward | about 6 months ago | (#46003305)

Sources/citations for any of those? Sounds like you're writing an elaborate work of fiction that has very little to do with OpenBSD or reality.

Re:Overly paranoid (0)

Anonymous Coward | about 6 months ago | (#46003319)

And you just missed the point entirely.

To belabor it: you aren't critical of the paranoid decisions OpenBSD makes for you(*), but you are of those johnwbyrd makes.

*: i doubt you actually use OpenBSD, but whatever.

Re:Overly paranoid (0)

Anonymous Coward | about 6 months ago | (#46003461)

Because i have no clue who john is, and the OpenBSD have a proven track record. (ex desktop openbsd user, still openbsd server user) But if you do not trust them then i suggest you do not use OpenBSD. it is not like its existance is somehow limiting you is it?

Re:Overly paranoid (1)

johnwbyrd (251699) | about 6 months ago | (#46003325)

Bingo! And the fact that you couldn't perceive that is entirely hilarious.

Re:Overly paranoid (1)

Anonymous Coward | about 6 months ago | (#46003261)

OpenBSD has never embraced the most recent release of anything -- if it's new, by definition it's insecure and it can't be trusted.

Which is why I choose OpenBSD. One can choose Linux for this as well, but then you have to start maintaining a set of SELinux rules. If you think that the default SELinux rules are even remotely acceptable, I urge you to stay away from secure systems.

Ergo, if you have to demonstrate the latest technology in whatever you're doing, you start with a Linux distribution.

Building a secure system is not about testing out the latest and coolest technology. It's about being certain that the system is secure. The latest technology is filled with bugs, and enough bugs are later found to be exploitable for that idea to be obviously bad.

NO ONE in the world has been clamoring for an OpenBSD signing tool that runs on a floppy. But the designers are imagining the user requirements based on their own biases.

I am certain that there are OpenBSD users that use floppies to install. Those are most likely among the more careful users, which means that they also would like signed packages. It seems that the OpenBSD developers knows more about their user base than you.

This way lies the death of any commercial or open source software product.

They stick by their conviction that security is relevant and that it can't be patched on in the end. Security is expensive and virtually nobody cares about it, so I agree that they are in the danger zone. That is why de Raadt has urged people to donate.

Re:Overly paranoid (1)

mdenham (747985) | about 6 months ago | (#46003365)

It's about being certain that the system is secure.

To ensure system security, install this software on the system.

Then unplug all cables from it that would allow usage of the system by anyone ever, because you cannot ensure the system is secure while users still have access to it.

Re:Overly paranoid (0)

Anonymous Coward | about 6 months ago | (#46003483)

You are intentionally being an ass. its obvious to anyone into security that perfect security is unobtainable, and when someone does say secure they mean "as secure as we can get while stil doing what we need to get done" (i bet theres someone whos gonna comment how openbsd cant do anything, those same people also like their Windows to come preinstalled with everything so they do not need to configure it for their purpose. TWO ENTIRELY DIFFERENT TARGET GROUPS)

Re:Overly paranoid (1)

Burz (138833) | about 6 months ago | (#46003669)

Most updates are for security fixes.

OTOH, security by correctness all by itself never prevented resourceful attackers from compiling their own databases of zero-day exploits. Infrequent updates just means the list is somewhat larger. I can't agree with this concept of security.

I've been using Qubes OS [qubes-os.org] to enhance security and though it incorporates Linux it uses a clever Xen configuration instead of SELinux to harden the system. No rules to maintain, just straightforward domains. The upshot is I can even run Windows in seamless mode and still expose my core system to less risk than an OpenBSD system running native apps.

Re:Overly paranoid (1)

ls671 (1122017) | about 6 months ago | (#46003279)

How can it be possible to be "overly paranoid" when it comes to machines hooked up to the Internet?

Re:Overly paranoid (2)

johnwbyrd (251699) | about 6 months ago | (#46003307)

When you can't run the software that your job requires on them.

Re:Overly paranoid (1)

ls671 (1122017) | about 6 months ago | (#46003351)

You put that "software" on less secure machines behind reverse-proxies, WAP, traffic analysis software, firewalls etc. which run on OSes designed by overly paranoid people.

Re:Overly paranoid (1)

flyingfsck (986395) | about 6 months ago | (#46003457)

Military IT security motto is: We are not happy until you are not happy.

Re:Overly paranoid (0)

Anonymous Coward | about 6 months ago | (#46003511)

If the software is insecure then I do not care the job requires it. secure it or do not install it. otherwise you are a part of the zombie problem.

You sound like one of those people who go to work no matter how sick you are because "i cant afford a sickday" and then get everyone else sick. antisocial selfish people.

Re:Overly paranoid (2)

Burz (138833) | about 6 months ago | (#46003697)

Run whatever software you need on Qubes. [qubes-os.org] Even then your system is likely to be more secure than OpenBSD.

Re:Overly paranoid (1)

flyingfsck (986395) | about 6 months ago | (#46003453)

You are not paranoid if they really are out to get you and a large part of the OpenBSD userbase is Government/Military, so that is why.

Re: Overly paranoid (0)

Anonymous Coward | about 6 months ago | (#46003563)

[citation required]

Floppy discs and the programmers who use them! (5, Funny)

danpbrowning (149453) | about 6 months ago | (#46003275)

Many members are up in arms over the large new utility: "Programmers these days with their fancy new computers and their gigantic 'five and a quarter' new-age magnetic spinning discs are constantly looking down on us 'old-fashioned' punch-card programmers. Why can't they write a new utility that supports six rows of 8-bit EBCDIC? Laziness. This just proves that OpenBSD don't care about small, home-built systems. Sixty four bytes is big enough for anybody."

Re:Floppy discs and the programmers who use them! (1)

cold fjord (826450) | about 6 months ago | (#46003377)

You know they aren't really writing large programs since they haven't been forced to use 8" floppies [wikipedia.org] .

Re:Floppy discs and the programmers who use them! (1)

flyingfsck (986395) | about 6 months ago | (#46003463)

OK, you jest, but I am not: Military/Government is a large part of the OpenBSD userbase. They still use a large number of antiquated and extremely, unbelievably expensive equipment. So it makes sense after all.

Dupe? (1)

Nemyst (1383049) | about 6 months ago | (#46003371)

I know dupes are a long time Slashdot tradition, so I'm asking: is this a dupe from 1995 or something? Because it sure feels like it.

Re:Dupe? (2)

abhi_beckert (785219) | about 6 months ago | (#46003433)

It's not a dupe, it's just that everyone installs from source on OpenBSD, so signing the binary never made much sense.

Re:Dupe? (1)

Burz (138833) | about 6 months ago | (#46003721)

It's not a dupe, it's just that everyone installs from source on OpenBSD, so signing the binary never made much sense.

Yeah, because its realistic for people to be their own code auditors for a whole OS, and for each install and update.

I'm sorry, but this makes OpenBSD users sound like morons. IMO, they shouldn't try to justify the myopia that has lead to this situation.

Theo Theo Theo (0)

Anonymous Coward | about 6 months ago | (#46003411)

I read a story about Theo having a hard time keeping all the servers running and hoped a company would pick up the tab --for no compensation. I know that Theo might be having problems, but then I heard the story of about 3 million ATM's running 12 year old versions of windows that are nearing EOL. I thought about Theo and openBSD. Linus Torvalds has knocked it for everything, except security. Its quite poor (slow, inefficient) at doing just about everything else, except security, and I thought about all those ATMs. An ATM doesn't need much. It needs to read a few inputs, a few drivers for counting money, and it needs a very secure network connection. openBSD is absolutely perfect for use in ATMS. If just 1 bank adopted openBSD for their ATMs, they would likely save Theo's costs, and would likely see wider adoption.

Re:Theo Theo Theo (1)

Anonymous Coward | about 6 months ago | (#46003549)

I read a story about Theo having a hard time keeping all the servers running and hoped a company would pick up the tab --for no compensation.

No compensation besides a pretty rock solid server OS they can modify and use as they see fit you mean?

Those ATM companies could simply pick up OpenBSD for free and make it work. That would put 0 money in Theo's pockets. (and slow+secure is a hell of a lot more useful than fast+insecure when you are directly attached to the internet)

It seems to me you do not really know what you are talking about and just repeating some rumors you have picked up at random uninformed or biased blogs.

Elliptic Curves? Designed by NIST? (0)

Anonymous Coward | about 6 months ago | (#46003663)

I note that the crypto software used, is based on an elliptic curve designed by the NIST.
I am not any kind of crypto guy, but IIRC these elliptic curves rely on some magic constants. No one has ever explained how these magic constants were obtained. There has always been some suspicion, now heightened, that the NSA asked the NIST to deliberately choose constants that would allow the NSA to break the encryption as needed.
So why did DJ Bernstein and Co not design their own elliptic curve?
pgmer6809

Re:Elliptic Curves? Designed by NIST? (0)

Anonymous Coward | about 6 months ago | (#46003745)

They did, you moron. Just like your post is moronic, but not every moronic post is yours, there is an elliptic curve designed by NIST, but NIST didn't invent (and backdoor) every elliptic curve out there.

"25519" in Ed25519 stands for elliptic curve named "curve25519 [cr.yp.to] " designed by D.J. Bernstein.

Probably for bootable CDs (4, Informative)

Animats (122034) | about 6 months ago | (#46003667)

This is probably because they want the signature checker to fit in the CD boot loader. For historical reasons [mit.edu] , bootable CDs imitate a floppy during the initial boot process, and contain an image of a 1.44MB floppy with a FAT file system. When you boot an PC-type x86 machine from CD, that simulated floppy (the file "floppy54.fs" for OpenBSD) is read by the BIOS and a file from it is executed.

This process is so retro that the initial program loaded is executed in 16-bit X86 mode.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?
or Connect with...

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>