On Tue, Sep 30, 2014 at 11:57 AM, Giancarlo Razzolini <grazzol...@gmail.com> wrote:
> >> Is it good enough to grab the signed source tarball, then checkout from >> CVS over it and make sure nothing changed in the process? >> > No, this won't cut it. Unless you check every line changed, and understand > completely what changed and the implications. > CVS will tell you if anything changed. Get the signed release tarball, then checkout release over top. In conjunction with the SSH fingerprint, you can trust this CVS server. Checkout stable and go. ...Unless just the stable branch of this server has compromised code in it. Then you'll have to compare all the changes to the signed patch files. At that point, might as well just use the patch files, I guess.
