Contributed by jose on from the verifiable-advisories dept.
FreeBSD and Debian, to name two examples, send out their advisories signed via PGP (GnuPG) making it easy to verify the message is really coming from the Security Officer.
It shouldn't be hard to send out a fake advisory pointing to a malicious patch somewhere on an FTP. True, while real OpenBSD users always check the errata page before installing patches, this doesn't seem to be in line with the proactive approach that makes OpenBSD OpenBSD. Also true, people falling for this trick may probably not be the persons who could be saved from this by using GnuPG (probably they don't use it anyway) but I mean... just as a precaution. We OpenBSD folks like security. And thus we should like verifying such important things as advisories for authenticity and integrity.
Furthermore, wouldn't it be wise to add MD5 checksums to the patches on the FTP server and mention these in the advisory?
It's not totally clear to me why OpenBSD doesn't do this."
(Comments are closed)