Judah Kocher writes: > My router is headless. I have never run into an issue where I have > needed anything from the X sets
Apparently you just did. > Therefore it seems like sound logic to not have those > bits and bytes present on the system so any > mis-configurations/bugs/vulnerabilities cannot impact my network security. This idea stems from sound advice but you are neglecting the parable of Chesterton's Fence[1]. > My router is not unbootable but I am not sure how secure it is anymore This says it all really. You should be, in spite of your present setback. You should not have set up your system in a way that permits you to be put in a position of not knowing how secure it is. Go back to first principles and redesign. > All of my partitions have at least 75% free space, except /usr which > after the sysupgrade is listed by df as being filled to 104% capacity. > I'm not even sure how that's possible. Because filesystems. They're documented. > I don't particularly look forward to having to rebuild it > from scratch or how long it will be before I find the time to do so. Good thing you have backups then, eh? > That being said, I realize there is plenty I do not know, First thing: A backup that cannot be [proven to be] restored is not a backup. > I experiment with making changes on a VM and observing the results until > I feel like I have a solid grasp on what will occur before pushing > anything to my live system, which sometimes takes months due to life, Good practice. > reading the sysupgrade manpage there is nothing > which even hints that any software which was explicitly rejected during > the original install will be installed anyway by this tool. *grumble* It seems that the OpenBSD devs and/or project "support" only an installation which has not not taken advantage of any of the optional non-extras (primarily: not installing sets) the installer has to offer. I understand and agree with the reasons for this but I grumble somewhat about the way it's presented. Passively-aggressive only because I have no solution on hand to fix problems I can't quite even describe. If your system is not a match then on your own head be it. It's a big, complicated thing but it's not that hard to understand. I suggest reading the sources to the boot loader, installer and the kernel's main startup routine to get a solid handle on things before progressing onto what /etc/rc and pals are doing and the layout of the filesystem etc.. > It looks like my best chance to be certain I have the router in the > state I think I do will be to do a fresh install and then use sysupgrade > using a variation of the script Leo mentioned in his email on 7/9/19: Or just store some bits in a place where they can't possibly be used so that you don't have to waste any of your limited effort on something that has no impact on anything? Your emphasis on security is admirable but misguided. Matthew [1] https://en.wikipedia.org/wiki/G._K._Chesterton#Chesterton's_fence
