On Tue, Sep 30, 2014 at 09:44, Alan McKay wrote: > Hi folks, > > I've been googling for a couple of hours now and not coming up with much > here. > I see how to download the -release source and then verify it, but I > cannot find any way to grab -stable from CVS and do the same. I > guess the only way I do see is to start out with the -release code, > verify it, and then download each patch and apply it after verifying. > That looks to me like it would be a lot of jumping through hoops. > > Am I missing something somewhere? > Or is there really no way to do this (directly)?
I think you've already gotten the answer, which is to trust the ssh fingerprints. (actually, after you've connected once, you're trusting the key, not just the fingerprint, which is even better.) In theory, we could sign the ssh fingerprint page, but I don't think that's a good idea at the current time. There are some issues with expiring old data. You do have to trust the mirror, so it's not completely end to end, but that's how things stand. Or switch to using patches. Secure and convenient do not always go hand in hand.
