On Wed, Jul 3, 2024, at 1:04 PM, Florian Obser wrote: > On 2024-07-03 12:59 -05, "Brian Conway" <bcon...@rcesoftware.com> wrote: >> On Wed, Jul 3, 2024, at 12:50 PM, Anon Loli wrote: >>> Hi! >>> I've recently compiled OpenBSD in order to change the source code for the >>> better. >>> >>> There is one problem, however. >>> How do you verify the CVS repository that you got from the available >>> Anonymous >>> CVS Servers? >>> All that I see in manual pages and FAQ is(summarized): >>> 1. CVS CHECKOUT, CVS CHECKOUT, CVS CHECKOUT >>> 3. compile >>> 4. boom, you now became awesome >>> >>> but what about step 2? >>> Like when you fetch binary images of OpenBSD, you are instructed to use >>> signify(1) >>> in order to verify the integrity/maliciousness of the fetched data. >>> Now how in the bug do you do that for CVS repositories? >>> Right now as far as my non-seeing eyes can see is "just compile the >>> possibly >>> malicious code, bruh, it's all correct"? >> >> You can verify the SSH keys of the anoncvs mirrors here: >> >> https://www.openbsd.org/anoncvs.html >> >> They are operated (for the most part) by the same >> developers/volunteers who contribute to the operating system source > > Why would you trust those people? As far as I can work out they are a > bunch of weirdos.
I meant to say, except ftp.hostserver.de .
