On 2020-12-10, Chris Bennett <[email protected]> wrote: > On Wed, Dec 09, 2020 at 11:22:58AM +0800, Tito Mari Francis Escaño wrote: >> Hi misc, >> I recently installed 6.8 on VM then applied errata patches. >> When I tried to install git, it complained that git is not in the >> packages-stable folder, I was pleasantly surprised. The >> /etc/installurl by default is http://cdn.openbsd.org/pub/OpenBSD, and >> I got error 503 on the site. Checking the default URL indicates it may >> be down, same goes for Cloudflare CDN, Verizon seems working alright. >> When I changed /etc/installurl to where I used to get packages: >> http://ftp.jaist.ac.jp/pub/OpenBSD, it worked as expected. >> This raised the following questions: >> Does this mean when we apply errata patches, we're now automatically >> using stable release and need to use stable packages? >> Is it advisable to keep the /etc/installurl automatically default to >> http://cdn.openbsd.org/pub/OpenBSD or should users be advised to >> select packages from package sources geographically near them? >> Please advise. Thanks and keep up the great work.
If you have a good local mirror then it is usually the best choice to use it. In that case the actual files are present on the system near you. With the CDNs, unless you pick a frequently accessed file that is cached locally, they are fetched from the origin server (for cdn.openbsd.org this is in Canada reached via Seattle). This is usually via a fairly fast network and with various optimizations that mean it's likely to be faster than fetching it directly from Canada yourself, but unless you're fairly close then it's likely to still be slower than a local "real" mirror. For snapshots there are additional problems, you're very unlikely to get any benefit from the cache at all, and because the filenames don't change between snapshots if files are cached near you then there can be problems getting a mix of two snaps. > If you find a good mirror, you can hard code the PKG_PATH > export PKG_PATH=... > it can use multiple servers separated by : > Be sure to change it to 6.9 later! Assuming they use the standard /pub/OpenBSD paths then you can set PKG_PATH to just the mirror name and the version (or "snapshots") and arch will be filled in. Or if you always use snapshots you can use http://whatever/pub/OpenBSD/snapshots/%a then you don't need to mess about with pkg_add -Dsnap around release time. > That's what I do when I have cdn problems. > Avoid the OpenBSD source, if possible. > Please use https. Some ISP's insert crap into http. Sounds a good reason to use a better ISP :) Packages packing-lists are verified using signify signatures, and files inside the package using sha256 from the (signed) plist, so it will be very obvious if those files are changed. And because pkg_add doesn't use persistent connections, https really slows it down as it has to make a new TLS handshake for every package you have installed (even if no update is needed). > Certs are free, why doesn't a trusted source not have one? Some mirror servers are not on especially new hardware and may not have loads of cpu to spare to encrypt everything. Also some may consider it a waste of cpu time if the files are signed anyway. (For file distribution where signature checks are not done automatically, I have a feeling that seeing something fetched over https might suggest to the user that things are safe and they don't need to bother to do a check manually - this is of course not the case as https does nothing to help if a server has been compromised, it only deals with the transport layer). > IMHO, you really should run stable. Although you might look at the Or -current :-) > patches and decide not to. packages-stable may or may not have security > fixes you need. syspatch often, but not always, needs a reboot. > > But it's your system, do as you please. A security patch might not be > relevant to you. > > Chris Bennett > > >
