On Wed, Jul 3, 2024, at 1:04 PM, Florian Obser wrote:
> On 2024-07-03 12:59 -05, "Brian Conway" <bconway@rcesoftware.com> wrote:
>> On Wed, Jul 3, 2024, at 12:50 PM, Anon Loli wrote:
>>> Hi!
>>> I've recently compiled OpenBSD in order to change the source code for the
>>> better.
>>>
>>> There is one problem, however.
>>> How do you verify the CVS repository that you got from the available Anonymous
>>> CVS Servers?
>>> All that I see in manual pages and FAQ is(summarized):
>>> 1. CVS CHECKOUT, CVS CHECKOUT, CVS CHECKOUT
>>> 3. compile
>>> 4. boom, you now became awesome
>>>
>>> but what about step 2?
>>> Like when you fetch binary images of OpenBSD, you are instructed to use
>>> signify(1)
>>> in order to verify the integrity/maliciousness of the fetched data.
>>> Now how in the bug do you do that for CVS repositories?
>>> Right now as far as my non-seeing eyes can see is "just compile the
>>> possibly
>>> malicious code, bruh, it's all correct"?
>>
>> You can verify the SSH keys of the anoncvs mirrors here:
>>
>> https://www.openbsd.org/anoncvs.html
>>
>> They are operated (for the most part) by the same
>> developers/volunteers who contribute to the operating system source
>
> Why would you trust those people? As far as I can work out they are a
> bunch of weirdos.
I meant to say, except ftp.hostserver.de .
No comments:
Post a Comment