t...@equalit.ie (tomr), 2018.02.22 (Thu) 12:35 (CET): > On 02/21/18 04:39, Kevin Chadwick wrote: > > On Tue, 20 Feb 2018 19:23:05 +0200 > > > > > >> Isn't the same true when I download file sets from any mirror? After > >> all I download SHA256.sig abd file sets from mirror, how can I trust > >> it? > > > > I am not a developer but my take is that they do not want to tell you it > > is verified if you have been given a CD etc.. Anything could have been > > booted and tell you it is verified. > > > > You can verify the .iso manually and you can use e.g. isomaster to add > > sha256.sig to the CD in which case it will verify them. I have used > > this in the past as a scratched rw seemingly fails sooner on verify than > > reading and also won't try to upgrade. > > > > If you have already manually verified bsd.rd and booted from that as I > > and I guess most developers do most often when upgrading then you do > > want it to tell you the http retrieval verified. > > > > I guess it was the simplest way considering installer size > > constraints/battles to avoid misinforming the user. > > > > I have a little snapshot upgrade script which: > > - downloads snapshots/amd64/SHA256.sig from a mirror > - compares that against my latest local copy, exits if they are the same > (ie no new snapshot) > - TODO: grabs SHA256.sig from ftp.openbsd.org and compares, exits if the > mirror is not in sync > - downloads snapshots/amd64/installXX.fs from the mirror > - verifies installXX.fs with signify > - vnd mounts installXX.fs and copies the files to where I expect them > for upgrade > - copies the (now verified) SHA256.sig into place > - copies the latest bsd.rd to / so I can boot from it > - informs me that a new snapshot is ready to install > > It's not cron'ed, I just run it when I feel like maybe upgrading. > > Somewhere on the todo list is to figure out how to build a custom bsd.rd > containing auto_upgrade.conf so that it's more or less automatic (works > great for local VMs, but I don't always control the upstream DHCP server > and anyway iwm firmware isn't ready at that point in the installer).
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Information for inst:upobsd-0.0.20180106 Comment: download, verify and patch bsd.rd image Description: upobsd is a ksh(1) script designed to download, verify and optionally patch bsd.rd image. upobsd will download bsd.rd image using ftp(1) from mirror defined in installurl(5), will verify the downloaded file using signify(1) and local key inside /etc/signify to ensure integrity, and optionally patch the image for adding auto_install.conf or auto_upgrade.conf file to add support of offline autoinstall(8). Maintainer: Sebastien Marie <sema...@online.fr> WWW: https://bitbucket.org/semarie/upobsd ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Marcus
