Hi!
I've recently compiled OpenBSD in order to change the source code for the
better.
There is one problem, however.
How do you verify the CVS repository that you got from the available Anonymous
CVS Servers?
All that I see in manual pages and FAQ is(summarized):
1. CVS CHECKOUT, CVS CHECKOUT, CVS CHECKOUT
3. compile
4. boom, you now became awesome
but what about step 2?
Like when you fetch binary images of OpenBSD, you are instructed to use signify(1)
in order to verify the integrity/maliciousness of the fetched data.
Now how in the bug do you do that for CVS repositories?
Right now as far as my non-seeing eyes can see is "just compile the possibly
malicious code, bruh, it's all correct"?
Within the release(8), it is said to "Make and validate the base
system/Xenocara release", but I don't think that's what I'm looking for.
Okay, I can do a signify operation with openbsd-75-base.pub for example,
because src.tar.gz is in SHA256* files, but a cvs copy isn't a .tar.gz file, do
I have to utilize tar functions myself?
If so, then that's annoying as fuck, especially since I didn't see anywhere the
utilization of signify or what-not..
If that's true, then I need to reinstall and recompile EVERYTHING yet again -_-
I hope I'm just a big fool, I'd rather be stupid here than be correct with this
No comments:
Post a Comment