On 02/21/18 04:39, Kevin Chadwick wrote: > On Tue, 20 Feb 2018 19:23:05 +0200 > > >> Isn't the same true when I download file sets from any mirror? After >> all I download SHA256.sig abd file sets from mirror, how can I trust >> it? > > I am not a developer but my take is that they do not want to tell you it > is verified if you have been given a CD etc.. Anything could have been > booted and tell you it is verified. > > You can verify the .iso manually and you can use e.g. isomaster to add > sha256.sig to the CD in which case it will verify them. I have used > this in the past as a scratched rw seemingly fails sooner on verify than > reading and also won't try to upgrade. > > If you have already manually verified bsd.rd and booted from that as I > and I guess most developers do most often when upgrading then you do > want it to tell you the http retrieval verified. > > I guess it was the simplest way considering installer size > constraints/battles to avoid misinforming the user. >
I have a little snapshot upgrade script which: - downloads snapshots/amd64/SHA256.sig from a mirror - compares that against my latest local copy, exits if they are the same (ie no new snapshot) - TODO: grabs SHA256.sig from ftp.openbsd.org and compares, exits if the mirror is not in sync - downloads snapshots/amd64/installXX.fs from the mirror - verifies installXX.fs with signify - vnd mounts installXX.fs and copies the files to where I expect them for upgrade - copies the (now verified) SHA256.sig into place - copies the latest bsd.rd to / so I can boot from it - informs me that a new snapshot is ready to install It's not cron'ed, I just run it when I feel like maybe upgrading. Somewhere on the todo list is to figure out how to build a custom bsd.rd containing auto_upgrade.conf so that it's more or less automatic (works great for local VMs, but I don't always control the upstream DHCP server and anyway iwm firmware isn't ready at that point in the installer). t
