On 2024-07-03 12:59 -05, "Brian Conway" <bconway@rcesoftware.com> wrote:
> On Wed, Jul 3, 2024, at 12:50 PM, Anon Loli wrote:
>> Hi!
>> I've recently compiled OpenBSD in order to change the source code for the
>> better.
>>
>> There is one problem, however.
>> How do you verify the CVS repository that you got from the available Anonymous
>> CVS Servers?
>> All that I see in manual pages and FAQ is(summarized):
>> 1. CVS CHECKOUT, CVS CHECKOUT, CVS CHECKOUT
>> 3. compile
>> 4. boom, you now became awesome
>>
>> but what about step 2?
>> Like when you fetch binary images of OpenBSD, you are instructed to use
>> signify(1)
>> in order to verify the integrity/maliciousness of the fetched data.
>> Now how in the bug do you do that for CVS repositories?
>> Right now as far as my non-seeing eyes can see is "just compile the
>> possibly
>> malicious code, bruh, it's all correct"?
>
> You can verify the SSH keys of the anoncvs mirrors here:
>
> https://www.openbsd.org/anoncvs.html
>
> They are operated (for the most part) by the same
> developers/volunteers who contribute to the operating system source
Why would you trust those people? As far as I can work out they are a
bunch of weirdos.
> code. If you're not comfortable with that, I recommend using releases
> and snapshots exclusively.
I recommend reflecting on trusting trust.
>
> Brian Conway
> Owner
> RCE Software, LLC
>
--
In my defence, I have been left unsupervised.
No comments:
Post a Comment