>> > Come on... twice a year and get the benefit of not being excluded from
quoted text
>> > company policies which require digital signature of software downloaded
>> > through the internet.
>> 
>> It's not really OpenBSD's problem that some companies implement pointless
>> "security" policies.
>
>I'm not discussing wether its pointless or not, maybe you don't want
>OpenBSD to be used at all?

You make it sound like OpenBSD is a vendor that is actively marketing to these 
companies and that cannot make a sale because it is not meeting a specific set 
of criteria in your requirements docs.

Tell you what.  I am sure there are a number of individuals on the list who 
own or work at companies that would be more than happy to provide your 
employer with a custom-built set of installation binaries and packages, signed 
for your digital pleasure.  I expect bi-annual costs, including overhead like 
lawyers, errors and omissions insurance, etc, to run mid-5-figures per 
release.  Minimum 5 release contract.  Expect much re-writing of contract 
clauses.  If there is indeed that much value derived in your organization from 
the use of OpenBSD, then this will be a paltry sum to pay.

I am fairly confident that Oracle and Sun and SAP likely aren't PKI'ing their 
updates from their websites.  Oh wait.  Are those excluded from the company 
policy because you have a contract in place?  

I went through a similar policy a few years ago while doing Sarbanes-Oxley 
consulting.  The lawyers and auditors were screaming for validation of free 
software, like Perl.  After many months of having tantrums, they, along with 
management, finally realized that going down this path would be tantamount to 
try to chip away all the morter keeping a brick building together.  The 
effects on the integrity of the structure (corporate, in this case) would be 
too great to keep pursuing this line of thought.  That policy was abandoned 
because it was costing more to implement than the perceived risks they 
believed they could mitigate. (i.e. - they had to think in practical terms)

Shortly afterward, I went back to steel-toed-boots engineering, where risks 
models really matter because you're trying to ensure that people don't get 
killed, that the environment doesn't get polluted, that you don't destroy 
assets and that you don't impact production.  Digital signatures are pretty 
irrelevant when you need to be concerned about an explosion that could 
potentially wipe out a few hundred million in infrastructure in the space of a 
few city blocks.  Or when an H2S leak can kill you and your crew in the matter 
of a few breaths. 

If it's that important, shut up and hack.  Or otherwise just shut up.