On 2024-07-03, Anon Loli <anonloli@autistici.org> wrote:
> How do you verify the CVS repository that you got from the available Anonymous
> CVS Servers?
> All that I see in manual pages and FAQ is(summarized):
> 1. CVS CHECKOUT, CVS CHECKOUT, CVS CHECKOUT
> 3. compile
> 4. boom, you now became awesome
>
> but what about step 2?
> Like when you fetch binary images of OpenBSD, you are instructed to use signify(1)
> in order to verify the integrity/maliciousness of the fetched data.
> Now how in the bug do you do that for CVS repositories?
Best you can do is checkout from a couple of mirrors (verifying ssh key
fingerprints against the set on https://www.openbsd.org/anoncvs.html
to guard against mitm) and compare the checkouts (being aware that they
may have been updated at different times so might not all have the most
recent commits).
--
Please keep replies on the mailing list.
No comments:
Post a Comment