On Wed, 1 Oct 2014, at 04:46 AM, trondd wrote: > On Tue, Sep 30, 2014 at 11:30 AM, Giancarlo Razzolini > <grazzol...@gmail.com> > wrote: > > > On 30-09-2014 11:56, trondd wrote: > > > >> There are SSH fingerprints published for each of the CVS servers. > >> > > They are published on a clear http page and there is no SSHFP on the dns. > > You need to access the anoncvs page from different places, using different > > connections/vpns/proxies, to be sure you are talking to the right anoncvs > > server. > > > Sure, you have to somehow verify that the fingerprint is good and check > it > against the fingerprint you get when first connecting to the CVS server. > How can you verify that fingerprint is good? I don't know. > > Is it good enough to grab the signed source tarball, then checkout from > CVS > over it and make sure nothing changed in the process? >
Some of the servers have been up for years and the fingerprints are cached and mirrored all around the web. Compare what you're seeing with a few of the caches and mirrors to see if they match. -- Carlin
