On 2018/05/02 18:03, Elias M. Mariani wrote: > I know that using the main mirror is a bad idea, but between paranoia > and being in Argentina I don't know witch mirror to trust,
For initial OS download, you could at least bootstrap things by checking SHA256.sig against a couple of mirrors in different places, and if you have signify available (which obviously you will have if you're running recent OpenBSD) checking the signature when you download base system files. (The upobsd package might be useful if you're doing OS updates by downloading new bsd.rd install kernels). pkg_add checks downloaded packages with signify *before* decompressing - download and decompression are now both done with (separate) low-privileged uids - which avoids most of the worst things that an untrustworthy mirror could do. > I guess > that using the Brazilian one would be faster that bringing the files > from Canada to Argentina. :( You'd have to try it to know about speed, it depends on network links between you and the mirror. But at the moment the Brazilian mirror is definitely mid-sync, and they clearly don't use --delay-updates etc. either :) Files at the start of the alphabet are 2018/05/02 and end of the alphabet are 2018/05/01, plus xz isn't present (the default delete behaviour of rsync is to remove local files that are no longer present on the upstream *first*, i.e. in this case the old xz package, and then start updating the rest - with xz at the end of the alphabet updates to this package will be more noticable than something at the start of the alphabet!). Generally I'd recommend using one of the CDNs for releases, and a single chosen good mirror (not CDN) for snapshots.
