Hello I note that pkg_add can work over scp....
However, as a user who is told to use packages by the official openbsd documentation and that ports are for advanced users. I feel some what let down... at this answer. Obviously i do not have ssh access to a mirror. I also do not have the bandwidth to download all of the openbsd packages, calculate the sha1sums of the packages and then distribute such a list. It would also not be integrated into openbsd's pkg_add. The answer often provided is buy the cdroms. That is one answer sure. BUT THEN i cannot agree that *free*, *practical* and *secure*. Why ? well cdroms cost money. --> cost --> not free. It is practical to use binary packages --> verification (if you only use the packages -> you have the checksums / they are elsewhere ). ---> peace of mind --> extended practical use. Secure.... no checksums stored locally / signed (and then distributed in the operating system) is likely to result in package integrity being compromised. It does not matter what faith one places in the pki or webs of trust (gpg/pgp style). Most linux distributions have had their packages signed for years (for example at ruxcon - an australian security conference a large number of participants had openbsd t-shirts stickers etc -> if one had a sig / link to a chain it could have been spread / if it was on a cd --> key could be compared to what others had) . Why not openbsd ? This seems trivial to me.
