[jggimi]

Avoid 1 and 2. These are updates to a working directory which must be in a known-good state. You don't have that. Run your checkout again.

Your use of the Alberta CVS server doesn't contribute to any significant security over using any repository mirror, as there is no digital signature mechanism for these.

Binary project distributions (kernels, filesets, packages, syspatch updates) are signed with signify(1) by a project member. But you have no assurance which CVS repository mirror was used for the working directory they used to do their build.

---

Edited to add:

You can switch repositories at will when updating your working directory. Individual patch updates are applied as diffs, and will fail if revisions do not match correctly. If there are multiple patches against a source module, however, it is replaced, rather than patched, so this form of paranoia will not fully confirm mirror validity.

---

Edited again to add:

I have a local mirror of the CVS repository that I use to create -current and -stable working directories. It could be an AnonCVS mirror, if it were on one of my servers instead of my laptop. But this mirror is itself a replication from my nearest CVSync mirror. My working directories are created from mirrors, of mirrors, of mirrors....

...Yes, it's turtles all the way down.