On Wed, Sep 5, 2012 at 2:22 PM, Kevin Chadwick <ma1l1i...@yahoo.co.uk> wrote: > On Wed, 5 Sep 2012 23:12:37 +0800 > Rowdy OpenBSD wrote: > >> > To the OP. When checking I choose a source mirror or two and download >> > just the SHA256. There is no sha256 for src.tgz and sys.tgz but you can >> > use ssh for the source code by getting the fingerprint once like for >> > signatures but tied to servers and not devs. >> >> Thanks for trying to help, Kevin, but there are significant weaknesses >> in your process. >> >> How do you upgrade packages? > > It really irks me when people use my name when there is no need but > I'll assume you just wanted to make clear you were responding to my > quote (above) and also assume you are not a troll this once. > > There are significant weaknesses in any process, the majority of which > occur between the build infrastructure and source providers which > OpenBSD does a very nice job of.
yes, but in this case choosing one or more mirrors doesn't make a difference. the list of sanctioned mirrors is publicly available. it'd be weird if it weren't since they're intended to be public means of distribution. if i bother setting up a ftp server, i can also bother redirecting more than one ip address. the blanket statement, "there are significant weaknesses in any process", doesn't in any way justify downloading sha256 from more than one mirror from the same connection, kevin
