From: Antoine Jacoutot <ajacoutot@bsdfrog.org>
Subject: Re: syspatch -c : call ftp(1) with timeout
To: Matthieu Herrb <matthieu@openbsd.org>
Cc: tech@openbsd.org
Date: Sat, 21 Feb 2026 13:00:31 +0100

On Sat, Feb 21, 2026 at 08:48:58AM +0100, Matthieu Herrb wrote:
> Hi,
> 
> I'm using syspatch -c in the monitoring system for a number of OpenBSD
> machines at work.
> From time to time the host listed in /etc/installurl becomes
> unavailable for hours. (I've seen that both with a dedicated mirror or
> with the cdn) causing monitoring errors because the agent (check_mk)
> is stuck.
> 
> Adding a timeout option to the ftp(1) command run by syspatch -c is
> enough for me to not have the OpenBSD machines appear unresponsiv in
> the monitoring system.
> 
> Would something like this make sense ?

I think it does.
But why not add it to some of the other ftp(1) calls?

> Index: syspatch.sh
> ===================================================================
> RCS file: /local/cvs/src/usr.sbin/syspatch/syspatch.sh,v
> diff -u -p -u -r1.169 syspatch.sh
> --- syspatch.sh	27 Oct 2025 16:30:24 -0000	1.169
> +++ syspatch.sh	21 Feb 2026 07:39:01 -0000
> @@ -173,7 +173,7 @@ ls_missing()
>  	local _c _f _cmd _l="$(ls_installed)" _p _sha=${_TMP}/SHA256
>  
>  	# don't output anything on stdout to prevent corrupting the patch list
> -	unpriv -f "${_sha}.sig" ftp -N syspatch -MVo "${_sha}.sig" \
> +	unpriv -f "${_sha}.sig" ftp -w 30 -N syspatch -MVo "${_sha}.sig" \
>  		"${_MIRROR}/SHA256.sig" >/dev/null
>  	unpriv -f "${_sha}" signify -Veq -x ${_sha}.sig -m ${_sha} -p \
>  		/etc/signify/openbsd-${_OSrev}-syspatch.pub >/dev/null
> 
> -- 
> Matthieu Herrb
> 

-- 
Antoine