Am 26.03.2014 um 21:54 schrieb Rene Gollent <anevilyak@xxxxxxxxx>: > Plain and simply, I find the sheer amount of paranoia displayed by you > surrounding both SecureBoot and all the package signing entirely > excessive, and simply resulting in unnecessary busywork and annoyance > for both the end users and the relatively small pool of people > handling the porting work. For users, it would be purely optional. And I would do the work. > Having to supply 4 different hashes for > every package You don't have to, it's two hashes (RMD160 + SHA512) plus size. MD5 is going to go away, as discussed before. And thanks to oltas change, you get a nice template you can just copy. So it's even less work than it was before with just MD5. > and distrusting e.g. downloading source from github is > from my standpoint absurd. Why do we even have checksums for the tgz files then? We download the sources without certificate checks. > If I was really that paranoid, I'd be > running an entirely different platform geared solely towards these > issues from the ground up. So yes, I'm entirely serious. Well my hope was to add enough security to Haiku that I feel confident enough to trust it with my SSH key, starting with the things easiest to exploit. But since I get so much opposition to that, I'll drop it and have to life with the fact that Haiku will never be able to be my main OS. I won't always have the time to build everything from source, meaning at one point, I'll only be able to run Haiku in a VM. *sigh* -- Jonathan