On Mon, Feb 27, 2017 at 8:10 PM, Miroslav Rovis <miro.ro...@croatiafidelis.hr> wrote: > Apologies for my not being able to reply sooner! > > On 170227-18:18+0300, Andrew Savchenko wrote: > >> > And via a new private big business, the Github. Giving over all users to >> > big Github brother. >> >> ??? >> Github is entirely optional and is only for those who want to use it >> (we have both users and devs willing so), but in no way anyone >> demands its usage. > Yeah! Still, it would be great if git was used in distributed way, and > not from a central private business... >
Git can pretty-much ONLY be used in a distributed way. In the sync workflow github is basically just a mirror. A lot of our mirrors are run by private businesses, and nobody knows what OS they're even hosted on, let alone whether the firmware and CPU microcode are FOSS along with their hard drive firmware. As far as distribution goes I think github is the wrong thing to worry about. What you want is traceable signatures from dev to user. Once you have that you can download from an NSA mirror and there shouldn't be any risk. All a mirror does is replicate data, and if modifications are detectable the worst they can do is a DoS. Most of the concerns that people tend to have with github is that you can become dependent on them for issue and pull request tracking and then if they decide to pull the plug you lose all that data. We try to minimize the use of these features and not make it a core part of the dev workflow. But, we do use pull requests and in theory we could lose those someday. The actual code itself gets pushed to the Gentoo infra Repo from a developer's box using plain old git after they've inspected/tested/etc it. So, there isn't really any way for Github to go injecting commits into the repositories we actually use. I guess they could do it for anybody using our github mirrors on the distribution side, but that's only because we don't have that all locked down and the same issue applies with any other mirror (rsync, etc). Again, you really need end-to-end signature checking to make any of these things truly safe. -- Rich