Working out the details of who signed what and when for OpenBSD took several weeks. After months of people asking when a portable release would be made (and critics slagging us and saying it would/could never happen), we could have held back the release for another month while we sorted that out. Or we could cut a release right now, while all the people working on portable are sitting in the same room and are well positioned to resolve build issues. Apparently we chose wrong. Next time we'll maintain radio silence until everything is just perfect.

I appreciate the clarification; had the announcement contained something to that effect ("We realize that production releases need GPG signatures and secure distribution channels, but we want to get this build out for early testing by devs and we're still ironing out the aforementioned distribution procedures"), I'd not have had any complaint at all.

Unfortunately, without that notice, my first thought was "why is it linking me to an HTTP site". The notice prevents visitors like me from guessing as to why that is by setting the appropriate context and letting us know you're aware of the right steps but they aren't feasible right now.

It's the first release. Of course it's not production ready. But fair enough. The web site will tell you when it's ready to use. :)

It's not the state of the software itself that's being questioned here. It's how security wasn't put first and foremost in this case. Putting an extraordinarily high degree of emphasis on security is something a lot of us have come to expect from OpenBSD and related projects. Security comes first, even if that means waiting a bit longer for an official release, or something like that.

While LibreSSL does appear to be going in the right direction, especially after the disastrous few months that OpenSSL has had, the community at large does want to be reassured that the LibreSSL project truly does revere security. A more security-conscious release in this case would have helped with that.

I respect the work you're doing on LibreSSL and OpenBSD. The release of this portable LibreSSL arrived much sooner than anyone expected and that's commendable. I think pretty much everyone expected it to be released in OpenBSD first and later as a portable version.

However, I really like to download code related to cryptography securely. Perhaps you didn't have the resources or the time to do this.

There were a few easy to do things: posting the hashes of the downloads in various places like GitHub, mailing lists, this HN thread and a few others. GitHub is useful for serving source releases, as long as you post the hashes in more places.

OpenSSL has been heavily criticized. That has been debated ad nauseam in countless places. The one thing I like about OpenSSL is that they're providing secure downloads. Their code might be bad, but at least you can download it from them via HTTPS.

Many would like to contribute, but the OpenBSD project isn't the friendliest (that's a mild way to put it).

This is not a release for anyone's production system. It's to review on test systems, or to audit.

I'm also horrified to see that the OpenBSD songs are still without proper PGP signatures. How can I be sure Richard Stallman and Bill Gates didn't tamper with the lyrics?

Btw, did you have a look into ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/ ?