Luis Suzuki <luissuz...@live.com> writes: > I have installed all of OpenBSD 5.2 that came with the install52.iso and > everything is fine.Now I want to install a GUI(gnome or kde) and other > software that did not come with install52.iso.How can I be certain that the > download is cryptographically secure and the downloaded packages are genuine?
Well, if you'd bought a CD set, you would have had access to a sinificant subset of the packages collection, fresh from a read-only medium that came from a trusted source. Why don't you? > pkg_add does automatically verify signed packages or I do have to use a secure > link : https://ftp.openbsd.org/.../.../... ,or so. First, please find a mirror. Very few people have any good reason to use the main one at ftp.openbsd.org directly. Second, you'll notice that each of the directories on the mirrors contain a file called SHA256, which in turn contains the SHA256 checksums for all the files in that directory. Try grabbing the SHA256 along with the packages, verify that the signature checks out. Better yet, fetch the SHA256 from the same directory on a different mirror. Also, please read the FAQ, which contains a description of how it all works. There's also a book coming out ( https://https.openbsd.org/cgi-bin/order?B10=1&B10%2b=Add or https://www.michaelwlucas.com/nonfiction/absolute-openbsd-2nd-edition ) that you should be able to buy when you return for your OpenBSD 5.3 CD set that explains this and other matters OpenBSD quite well (note: that endorsement comes from the book's tech editor). - P -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
