On Thu, Jul 04, 2024 at 08:35:59AM -0000, Stuart Henderson wrote: > On 2024-07-03, Anon Loli <anonl...@autistici.org> wrote: > > How do you verify the CVS repository that you got from the available > > Anonymous > > CVS Servers? > > All that I see in manual pages and FAQ is(summarized): > > 1. CVS CHECKOUT, CVS CHECKOUT, CVS CHECKOUT > > 3. compile > > 4. boom, you now became awesome > > > > but what about step 2? > > Like when you fetch binary images of OpenBSD, you are instructed to use > > signify(1) > > in order to verify the integrity/maliciousness of the fetched data. > > Now how in the bug do you do that for CVS repositories? > > Best you can do is checkout from a couple of mirrors (verifying ssh key > fingerprints against the set on https://www.openbsd.org/anoncvs.html > to guard against mitm) and compare the checkouts (being aware that they > may have been updated at different times so might not all have the most > recent commits). > > -- > Please keep replies on the mailing list. >
That doesn't defent againts the mirror host itself being malicious.. like HELLO what are we talking about?? What do you mean compare the checkouts? Is there something like a hash sum for the entire thing? Regardless of it, it's missing in the documentation, I consider it to be a bug, and so should you! Shilling unverified copies from the internet is very suspicious from OpenBSD, I must admit
