On Tue, Feb 28, 2012 at 9:44 PM, Nathan Stiles <stiles.nat...@gmail.com>wrote:
> Hello, > I've recently installed 5.0 and based upon my experience > I expected a checksum to be posted for the ISO. > Also I've noticed that HTTPS isn't implemented on openbsd.org. > I was also expecting the checksum to be served over HTTPS. > I'm sure theres a good reason why this isn't necessary? > I want to check the files I've downloaded against something? > Obviously I can check a few random mirrors to ensure > that files are identical. What are others doing? > > Thanks, > Nathan > There is a "SHA256" file published in the same directory, which lists checksums of the ISO's and other files. This just came up in the Scientific Linux mailing list. While checksums are useful, they're not helpful if both the checksum and the file itself are corrupted. Someone (namely me!) also pointed out the possibility of manipulating the FTP or HTTP transmission en route, and I pointed out the risk of a Trojan infested mirror, Bittorrent, or other popular network access source. It's why I'm happy to use Bittorrent to get ISO's in a speedy fashion, but *ALWAYS* check the checksums against the original source when download is complete. Even a shipped CD has some subtle, secondary risks: if I put that copy in my software box and put the ISO image online locally for building virtual hosts (which I've done ion the last year), what prevents some weasel at work from replacing my ISO? Yes, I trust the people I work with, but assuring the provenance of an ISO image can be a useful bit of extra certainty. This is especially the case when your local mirror is *not* as secure as you might like.
