That's irrelevant (the impersonating bit).
What you have to understand is this - this is not a commercial

venture, nor is openbsd looking to grow marketshare or ease of use or

anything.  This is a project by developers for themselves.
Yes, they do sell CDs and so on to help support the project, and yes

they have users that they support.  But the moment the users become

annoying and passes a certain threshold (which are different for

different developers) those users become lusers (not saying you are

one, btw).
So, look at their objectives - does using pki solve anything for them?

 No, not really.  Signing source code that goes into the tree - does

it help?  No, if an intruder got in, they would have gotten the key

anyway.  Signing binaries?  What's on the primary server is considered

authoritative.  Or you can compile your own.  Binary updates?  Don't

do it.  Mirrors - they currently use MD5 which is cheap and fast and

good enough.
So, to put in a complicated pki and so on would add overhead that is

really useless to the developers.  It may benefit some users.  But

does the benefit outweigh the cost?  Not currently, according to the

developers.
Now, if you're willing to fund it, and do the work, and manages to

gain Theo's trust, then you get to do it.  But else, I don't really

see the devs taking on this additional work for fun.  And ultimately

that's what they're doing - having fun.
Now, it could be that tomorrow one of the devs catches the pki bug -

then suddenly, all these can and will happen.  But I doubt it.
On 12/5/07, new_guy  wrote:

quoted text
> Bob Beck-2 wrote:

> >

> > 	If you want a secure binary. buy an official CD.. This is

> > what most people do.  PKI requires infrastructure that would cost OpenBSD

> > money and developer time. Official CD's keep OpenBSD alive.

> >

> > 	Oh wait, we should devote resources to people who care about

> > security, just not enough to spend  on it..   Yeah. I'll get right

> > on that.

> >

> > 	-Bob

> >

>

> One last thought. You insinuate in this post that I do not buy CDs or

> support OpenBSD. I claim that I do. There is a person listed by my name on

> the donations page... but since I was not given the opportunity to digitally

> sign my donation ;) I could just be impersonating that person. How is that

> for irony? I'll go away now.

>

> Thanks,

> Brad

>

> --

> View this message in context:

> http://www.nabble.com/Code-signing-in-OpenBSD-tf4947207.html#a14180803

> Sent from the openbsd user - misc mailing list archive at Nabble.com.

>

>

--

http://www.glumbert.com/media/shift

http://www.youtube.com/watch?v=tGvHNNOLnCk

"This officer's men seem to follow him merely out of idle curiosity."

-- Sandhurst officer cadet evaluation.

"Securing an environment of Windows platforms from abuse - external or

internal - is akin to trying to install sprinklers in a fireworks

factory where smoking on the job is permitted."  -- Gene Spafford