Re: How to verify ports.tar.gz in mirrors - and similarly packages?

Mon, 11 May 2009 09:14:01 -0700 

Actually, i read through those messages, and in biref it is said that

"we think it's worse to sign packages than not to sign them if you don't have
a fairly strict process that ensures you have a correct chain of trust.
Without that, signatures provide a false sense of security that doesn't
match anything..."

If someone use checksum on mirrror, it does not make sense but if someone uses
checksums from either CD or ssh'ed anonCVS server, i think it is fine
(_not?_)


Lets forget about packages... then is it (below) the best way to have almost
ideal system?

- Buy CD rom, since it is original. Install original packages.
- If a packages is not on CD then get ports.tgz through anoncvs server and
built by compiling.


Patience is a virtue, and helping too, and i thank you for your reply.
Really.

Regards,
Cem





Jasper Valentijn, 05/11/09 18:41:

2009/5/11 Cem Kayali <cemkay...@eticaret.com.tr>:


If someone (who knows) reply, i would appreciate...



Patience is a virtue...



If i would download packages through a mirror server, how could i validate
their checksum? Please note, i'm NOT mentioning about using checksum on
mirror server, which is not valid if  the packages are already
compromised... Shouldn't these checksums exist on openbsd.org main web

site

at least?




<http://marc.info/?l=openbsd-misc&w=2&r=1&s=packages+checksum&q=b>

And read.

If you've downloaded ports.tar.gz, untared it and done a cvs up -C -Pd
you can be sure it's in sync with the cvs server...



since i couldn't see a list of md5/sha256(512) sums of those in main
www.openbsd.org website ---nor somebody mentions they are in cdroms?

Maybe



i


can get ports via anoncvs but not packages. Well, ordering cd-rom is not

a

problem, but it does not contain all the software i wish -probably.



It does support the project and does contain a clean ports tarbal.



I'm sorry if this looks like 101 OpenBSD question, this is just how

NetBSD

(that i use) handles.



You're not the first to ask and not the first who didn't search the
archives before asking...



--
We spend the first twelve months of our children's lives teaching
them to walk and talk and the next twelve telling them to sit down and
shut up.

Reply via email to