On Wed, Jul 3, 2024, at 12:50 PM, Anon Loli wrote: > Hi! > I've recently compiled OpenBSD in order to change the source code for the > better. > > There is one problem, however. > How do you verify the CVS repository that you got from the available Anonymous > CVS Servers? > All that I see in manual pages and FAQ is(summarized): > 1. CVS CHECKOUT, CVS CHECKOUT, CVS CHECKOUT > 3. compile > 4. boom, you now became awesome > > but what about step 2? > Like when you fetch binary images of OpenBSD, you are instructed to use > signify(1) > in order to verify the integrity/maliciousness of the fetched data. > Now how in the bug do you do that for CVS repositories? > Right now as far as my non-seeing eyes can see is "just compile the > possibly > malicious code, bruh, it's all correct"?
You can verify the SSH keys of the anoncvs mirrors here: https://www.openbsd.org/anoncvs.html They are operated (for the most part) by the same developers/volunteers who contribute to the operating system source code. If you're not comfortable with that, I recommend using releases and snapshots exclusively. Brian Conway Owner RCE Software, LLC
