> I'm installing -current from snapshots, from time to time. I use to > download the .iso file then burn it and check the files on cdrom > against SHA256 file downloaded together with .iso. > > Since some time, the x*.tgz are reported as FAILED in this check. I > send another email to the list, I got one answer but I'm not able yet > to get the idea. So, I ask again, is still this SHA256 used for _all_ > files or it is just for non x* files in snapshots? Should I use it to > check the files snaphots or not ? Because if I don;t have this check, > how could I be sure about files integrity after download and even > after burning ?
The SHA256's of the sets build just before bsd.rd are encoded directly into the bsd.rd. This is no PKI. It means the bsd.rd can only validate the sets that were built at the same time. If time passes, the bsd.rd will not recognize the next set of files. We cannot even promise that the SHA256 file in the directory matches what the bsd.rd file knows. The ftp servers are not atomic.
