On Wed, Jul 03, 2024 at 12:59:55PM -0500, Brian Conway wrote:
> On Wed, Jul 3, 2024, at 12:50 PM, Anon Loli wrote:
> > Hi!
> > I've recently compiled OpenBSD in order to change the source code for the
> > better.
> >
> > There is one problem, however.
> > How do you verify the CVS repository that you got from the available Anonymous
> > CVS Servers?
> > All that I see in manual pages and FAQ is(summarized):
> > 1. CVS CHECKOUT, CVS CHECKOUT, CVS CHECKOUT
> > 3. compile
> > 4. boom, you now became awesome
> >
> > but what about step 2?
> > Like when you fetch binary images of OpenBSD, you are instructed to use
> > signify(1)
> > in order to verify the integrity/maliciousness of the fetched data.
> > Now how in the bug do you do that for CVS repositories?
> > Right now as far as my non-seeing eyes can see is "just compile the
> > possibly
> > malicious code, bruh, it's all correct"?
>
> You can verify the SSH keys of the anoncvs mirrors here:
>
> https://www.openbsd.org/anoncvs.html
>
> They are operated (for the most part) by the same developers/volunteers who contribute to the operating system source code. If you're not comfortable with that, I recommend using releases and snapshots exclusively.
>
> Brian Conway
> Owner
> RCE Software, LLC
>
How in the fish does verifying SSH keys virtually eliminate malicious
behavior? They can be authentic SSH server, but since it's not the official
"openbsd.org" server, they can easily inject their own malicious code, it's
easier very easy, in my opinion
No comments:
Post a Comment