On 30-09-2014 12:46, trondd wrote: > Sure, you have to somehow verify that the fingerprint is good and > check it against the fingerprint you get when first connecting to the > CVS server. How can you verify that fingerprint is good? I don't know. SSHFP. DNSSEC. And other ways. But these won't happen. And that's not necessarilly a bad thing. It makes you extra cautious. The downside is that it's up to the user to be able to check things securely. Not every user can or want to jump through all these hoops. > > Is it good enough to grab the signed source tarball, then checkout > from CVS over it and make sure nothing changed in the process? No, this won't cut it. Unless you check every line changed, and understand completely what changed and the implications.
Cheers, [demime 1.01d removed an attachment of type application/pkcs7-signature which had a name of smime.p7s]