On Tue, Sep 30, 2014 at 11:30 AM, Giancarlo Razzolini <grazzol...@gmail.com> wrote:
> On 30-09-2014 11:56, trondd wrote: > >> There are SSH fingerprints published for each of the CVS servers. >> > They are published on a clear http page and there is no SSHFP on the dns. > You need to access the anoncvs page from different places, using different > connections/vpns/proxies, to be sure you are talking to the right anoncvs > server. Sure, you have to somehow verify that the fingerprint is good and check it against the fingerprint you get when first connecting to the CVS server. How can you verify that fingerprint is good? I don't know. Is it good enough to grab the signed source tarball, then checkout from CVS over it and make sure nothing changed in the process?
