>On Tue, 20 Feb 2018 18:45:01 +0100 >Stefan Sperling <s...@stsp.name> wrote: > >> > I download SHA256.sig abd file sets from mirror, how can I trust it? >> >> You run a trusted signify binary, which was not obtained from the >> mirror but is part of your existing install, to check the signature >> on SHA256.sig. > >I know this is a little bit farfetched, pardon my ignorence, but >OpenBSD seeems vulnerable on first installation. In case of DNS >poisoning, what can stop a virus from forwarding the installer to a >false SHA256.sig and false repository? My guess would be to use >DNSSEC and a local copy of an OpenBSD repository to avoid such issue. > >Also I still don't understand the logic of not embedding SHA256.sig in >the ISO. A SHA256.sig exists, why NOT use it?
Sometimes there's a vast difference between a person who declares something useful and easy to do, and the reality. Sometimes the person is just plain wrong.
