On Mon, Feb 27, 2017 at 8:10 PM, Miroslav Rovis
<miro.ro...@croatiafidelis.hr> wrote:
> Apologies for my not being able to reply sooner!
>
> On 170227-18:18+0300, Andrew Savchenko wrote:
>
>> > And via a new private big business, the Github. Giving over all users to
>> > big Github brother.
>>
>> ???
>> Github is entirely optional and is only for those who want to use it
>> (we have both users and devs willing so), but in no way anyone
>> demands its usage.
> Yeah! Still, it would be great if git was used in distributed way, and
> not from a central private business...
>

Git can pretty-much ONLY be used in a distributed way.  In the sync
workflow github is basically just a mirror.  A lot of our mirrors are
run by private businesses, and nobody knows what OS they're even
hosted on, let alone whether the firmware and CPU microcode are FOSS
along with their hard drive firmware.

As far as distribution goes I think github is the wrong thing to worry
about.  What you want is traceable signatures from dev to user.  Once
you have that you can download from an NSA mirror and there shouldn't
be any risk.  All a mirror does is replicate data, and if
modifications are detectable the worst they can do is a DoS.

Most of the concerns that people tend to have with github is that you
can become dependent on them for issue and pull request tracking and
then if they decide to pull the plug you lose all that data.  We try
to minimize the use of these features and not make it a core part of
the dev workflow.  But, we do use pull requests and in theory we could
lose those someday.  The actual code itself gets pushed to the Gentoo
infra Repo from a developer's box using plain old git after they've
inspected/tested/etc it.  So, there isn't really any way for Github to
go injecting commits into the repositories we actually use.  I guess
they could do it for anybody using our github mirrors on the
distribution side, but that's only because we don't have that all
locked down and the same issue applies with any other mirror (rsync,
etc).  Again, you really need end-to-end signature checking to make
any of these things truly safe.

-- 
Rich

Reply via email to