On 2024-07-03 12:59 -05, "Brian Conway" <bcon...@rcesoftware.com> wrote: > On Wed, Jul 3, 2024, at 12:50 PM, Anon Loli wrote: >> Hi! >> I've recently compiled OpenBSD in order to change the source code for the >> better. >> >> There is one problem, however. >> How do you verify the CVS repository that you got from the available >> Anonymous >> CVS Servers? >> All that I see in manual pages and FAQ is(summarized): >> 1. CVS CHECKOUT, CVS CHECKOUT, CVS CHECKOUT >> 3. compile >> 4. boom, you now became awesome >> >> but what about step 2? >> Like when you fetch binary images of OpenBSD, you are instructed to use >> signify(1) >> in order to verify the integrity/maliciousness of the fetched data. >> Now how in the bug do you do that for CVS repositories? >> Right now as far as my non-seeing eyes can see is "just compile the >> possibly >> malicious code, bruh, it's all correct"? > > You can verify the SSH keys of the anoncvs mirrors here: > > https://www.openbsd.org/anoncvs.html > > They are operated (for the most part) by the same > developers/volunteers who contribute to the operating system source
Why would you trust those people? As far as I can work out they are a bunch of weirdos. > code. If you're not comfortable with that, I recommend using releases > and snapshots exclusively. I recommend reflecting on trusting trust. > > Brian Conway > Owner > RCE Software, LLC > -- In my defence, I have been left unsupervised.
