On 2024-07-03, Anon Loli <[email protected]> wrote: > How do you verify the CVS repository that you got from the available Anonymous > CVS Servers? > All that I see in manual pages and FAQ is(summarized): > 1. CVS CHECKOUT, CVS CHECKOUT, CVS CHECKOUT > 3. compile > 4. boom, you now became awesome > > but what about step 2? > Like when you fetch binary images of OpenBSD, you are instructed to use > signify(1) > in order to verify the integrity/maliciousness of the fetched data. > Now how in the bug do you do that for CVS repositories?
Best you can do is checkout from a couple of mirrors (verifying ssh key fingerprints against the set on https://www.openbsd.org/anoncvs.html to guard against mitm) and compare the checkouts (being aware that they may have been updated at different times so might not all have the most recent commits). -- Please keep replies on the mailing list.
