On Wed, Jul 3, 2024, at 12:50 PM, Anon Loli wrote:
> Hi!
> I've recently compiled OpenBSD in order to change the source code for the
> better.
>
> There is one problem, however.
> How do you verify the CVS repository that you got from the available Anonymous
> CVS Servers?
> All that I see in manual pages and FAQ is(summarized):
> 1. CVS CHECKOUT, CVS CHECKOUT, CVS CHECKOUT
> 3. compile
> 4. boom, you now became awesome
>
> but what about step 2?
> Like when you fetch binary images of OpenBSD, you are instructed to use
> signify(1)
> in order to verify the integrity/maliciousness of the fetched data.
> Now how in the bug do you do that for CVS repositories?
> Right now as far as my non-seeing eyes can see is "just compile the
> possibly
> malicious code, bruh, it's all correct"?
You can verify the SSH keys of the anoncvs mirrors here:
https://www.openbsd.org/anoncvs.html
They are operated (for the most part) by the same developers/volunteers who contribute to the operating system source code. If you're not comfortable with that, I recommend using releases and snapshots exclusively.
Brian Conway
Owner
RCE Software, LLC
No comments:
Post a Comment