"Just because you're paranoid doesn't mean they aren't after you"
OK writing that blog entry, didn't exactly make me trust Software Update any more than before. So am I just going to blindly install what mik.net and Level3 sent me ?
Software Update placed a pkg into /Library/Updates/031-349 called OSXUpd10.9.2.pkg. It's 768542032 bytes long and shasums to eb07b505fe52f8833265a17b2f16ef941cf504da. Wouldn't it be prudent to compare this with the checksum of the OSXUpd10.9.2.pkg contained in the dmg image I manually downloaded ?
Yes, of course it would, unfortunately that pkg is 769125841 bytes large and shasums to something else entirely.
That's because both are wrappers for the actual package contained within. To get at the meat, use xar -x -f, which will get you eventually to a file called Payload. That is a bzip2 encrypted tar archive. Now I find this quite hilarious. After all the hoops Apple went through, with xar, cpio, pax and what have you, they finally use tar to install, as they maybe should have right from the beginning.
There at last both Payload archives shasum out to a2392e7a3ec868679bb4cf29e9240ce687c03eba, which makes me a bit more relaxed :)