On Wed, Jul 03, 2024 at 08:04:59PM +0200, Florian Obser wrote:
> On 2024-07-03 12:59 -05, "Brian Conway" <bconway@rcesoftware.com> wrote:
> > On Wed, Jul 3, 2024, at 12:50 PM, Anon Loli wrote:
> >> Hi!
> >> I've recently compiled OpenBSD in order to change the source code for the
> >> better.
> >>
> >> There is one problem, however.
> >> How do you verify the CVS repository that you got from the available Anonymous
> >> CVS Servers?
> >> All that I see in manual pages and FAQ is(summarized):
> >> 1. CVS CHECKOUT, CVS CHECKOUT, CVS CHECKOUT
> >> 3. compile
> >> 4. boom, you now became awesome
> >>
> >> but what about step 2?
> >> Like when you fetch binary images of OpenBSD, you are instructed to use
> >> signify(1)
> >> in order to verify the integrity/maliciousness of the fetched data.
> >> Now how in the bug do you do that for CVS repositories?
> >> Right now as far as my non-seeing eyes can see is "just compile the
> >> possibly
> >> malicious code, bruh, it's all correct"?
> >
> > You can verify the SSH keys of the anoncvs mirrors here:
> >
> > https://www.openbsd.org/anoncvs.html
> >
> > They are operated (for the most part) by the same
> > developers/volunteers who contribute to the operating system source
>
> Why would you trust those people? As far as I can work out they are a
> bunch of weirdos.
Exactly
> > code. If you're not comfortable with that, I recommend using releases
> > and snapshots exclusively.
>
> I recommend reflecting on trusting trust.
I know, everyone should read +6M of OpenBSD code and/or just delete/detach
files that aren't needed (but how do you know what you need? lol), but before
we can do that, the next best thing we can do is only trusting Theo De Raadt
himself and no one else
> > Brian Conway
> > Owner
> > RCE Software, LLC
> >
>
> --
> In my defence, I have been left unsupervised.
>
I fucking love that disclaimer :D
No comments:
Post a Comment