2009/5/11 Cem Kayali <cemkay...@eticaret.com.tr>: > Actually, i read through those messages, and in biref it is said that > > "we think it's worse to sign packages than not to sign them if you don't > have > a fairly strict process that ensures you have a correct chain of trust. > Without that, signatures provide a false sense of security that doesn't > match anything..." > > If someone use checksum on mirrror, it does not make sense but if someone > uses > checksums from either CD or ssh'ed anonCVS server, i think it is fine > (_not?_) > > > Lets forget about packages... then is it (below) the best way to have almost > ideal system? > > - Buy CD rom, since it is original. Install original packages. > - If a packages is not on CD then get ports.tgz through anoncvs server and > built by compiling.
ports.tar.gz is on the CD. As is src.tar.gz. (look on CD3 if you have them) > > Patience is a virtue, and helping too, and i thank you for your reply. > Really. > > Regards, > Cem > > > > > > Jasper Valentijn, 05/11/09 18:41: >> >> 2009/5/11 Cem Kayali <cemkay...@eticaret.com.tr>: >> >>> If someone (who knows) reply, i would appreciate... >>> >>> >> Patience is a virtue... >> >> >>> If i would download packages through a mirror server, how could i >>> validate >>> their checksum? Please note, i'm NOT mentioning about using checksum on >>> mirror server, which is not valid if B the packages are already >>> compromised... Shouldn't these checksums exist on openbsd.org main web > > site >>> >>> at least? >>> >>> >> >> <http://marc.info/?l=openbsd-misc&w=2&r=1&s=packages+checksum&q=b> >> >> And read. >> >> If you've downloaded ports.tar.gz, untared it and done a cvs up -C -Pd >> you can be sure it's in sync with the cvs server... >> >> >>>> since i couldn't see a list of md5/sha256(512) sums of those in main >>>> www.openbsd.org website ---nor somebody mentions they are in cdroms? > > Maybe >>>> >> i >> >>>> can get ports via anoncvs but not packages. Well, ordering cd-rom is not > > a >>>> >>>> problem, but it does not contain all the software i wish -probably. >>>> >> >> It does support the project and does contain a clean ports tarbal. >> >> >>>> I'm sorry if this looks like 101 OpenBSD question, this is just how > > NetBSD >>>> >>>> (that i use) handles. >>>> >> >> You're not the first to ask and not the first who didn't search the >> archives before asking... >> >> >> >> -- >> B We spend the first twelve months of our children's lives teaching >> them to walk and talk and the next twelve telling them to sit down and >> shut up. > > -- La brigade SnW veut vous recruter - http://brigade.snw.googlepages.com