Half of the article is sensationalist and bashes OpenBSD for bashing's sake. The devs are right about 90% of the time; they'd rather do something right than jump on the bandwagon and ride the hype off the cliff.
Yes, that's exactly what you'd expect from OpenBSD, now, in the past, and hopefully for many more years in the future. Years and years and only two remote holes.
OpenBSD is a bit bipolar. The rationale behind http was that since CAs demonstrated[1] that every CA can't do their job all the time it was more appropriate to let users use other methods of authenticating their installs. So you are supposed to check hashes via different networks, ask other people to verify hashes, etc. Many people though just want isos and don't care if it's coming from a source that works only 99.999% of the time so now they got that.
GPG is also way over-engineered for its most common use case, so signify was made to unburden existing OpenBSD users from unnecessary risks. But again it wouldn't hurt them if they signed isos with both GPG and signify. It's not like Linux isn't without a laundry list of faults though.
3 comments
[ 3.4 ms ] story [ 20.2 ms ] threadYes, that's exactly what you'd expect from OpenBSD, now, in the past, and hopefully for many more years in the future. Years and years and only two remote holes.
Thank you OpenBSD!
GPG is also way over-engineered for its most common use case, so signify was made to unburden existing OpenBSD users from unnecessary risks. But again it wouldn't hurt them if they signed isos with both GPG and signify. It's not like Linux isn't without a laundry list of faults though.
[1]https://en.wikipedia.org/wiki/DigiNotar