On 02/21/18 04:39, Kevin Chadwick wrote:
> On Tue, 20 Feb 2018 19:23:05 +0200
>> Isn't the same true when I download file sets from any mirror? After
>> all I download SHA256.sig abd file sets from mirror, how can I trust
>> it?
> I am not a developer but my take is that they do not want to tell you it
> is verified if you have been given a CD etc.. Anything could have been
> booted and tell you it is verified.
> You can verify the .iso manually and you can use e.g. isomaster to add
> sha256.sig to the CD in which case it will verify them. I have used
> this in the past as a scratched rw seemingly fails sooner on verify than
> reading and also won't try to upgrade.
> If you have already manually verified bsd.rd and booted from that as I
> and I guess most developers do most often when upgrading then you do
> want it to tell you the http retrieval verified.
> I guess it was the simplest way considering installer size
> constraints/battles to avoid misinforming the user.

I have a little snapshot upgrade script which:

- downloads snapshots/amd64/SHA256.sig from a mirror
- compares that against my latest local copy, exits if they are the same
(ie no new snapshot)
- TODO: grabs SHA256.sig from ftp.openbsd.org and compares, exits if the
 mirror is not in sync
- downloads snapshots/amd64/installXX.fs from the mirror
- verifies installXX.fs with signify
- vnd mounts installXX.fs and copies the files to where I expect them
for upgrade
- copies the (now verified) SHA256.sig into place
- copies the latest bsd.rd to / so I can boot from it
- informs me that a new snapshot is ready to install

It's not cron'ed, I just run it when I feel like maybe upgrading.

Somewhere on the todo list is to figure out how to build a custom bsd.rd
containing auto_upgrade.conf so that it's more or less automatic (works
great for local VMs, but I don't always control the upstream DHCP server
and anyway iwm firmware isn't ready at that point in the installer).


Reply via email to