I think the point is that the commits as they’re landing are hard to relate to anything coming from Red Hat. For instance, I was curious about one earlier which had a commit message which indicated that there was a one-line change to a file… However, the commit added the entire file.
In that case, I’ve attempted to reach out to the CentOS committer whose name is associated with the commit (with no response as of this moment). But there are, unfortunately, large swaths of the new code which doesn’t have an actual person attached. It’s fair to assume it’s all coming from a faucet at Red Hat. However, barring anyone with authority stating otherwise, it’s also fair to assume that the stuff coming from Red Hat is being modified for CentOS’s needs before being committed. If the latter is the case, the statement about anonymous sources is completely correct in regards to the files which have a committer of “CentOS Sources <b...@centos.org>”. There is no one to take the fall if a file is subtly modified, and there’s no (public) change history to show when it happened. The paranoid might think of Apple’s recent “goto fail” issue and how easily it would be to introduce something like that in a huge source drop which is not easily verifiable as being exactly the same as Red Hat’s sources. Mind you, I’m not saying that’s the case. But in the absence of data or evidence to the contrary, it’s a perfectly sane and logical conclusion one might come to. In any case, I don’t feel it’s unreasonable for people to want to know the provenance of the code they’re running. Just my thoughts. Matt -- Matt Lewandowsky Big Geek Greenviolet m...@greenviolet.net http://www.greenviolet.net +1 415 578 5782 (US) +44 844 484 8254 (UK) From: owner-scientific-linux-us...@listserv.fnal.gov [mailto:owner-scientific-linux-us...@listserv.fnal.gov] On Behalf Of Stephen John Smoogen Sent: Tuesday, 10 June, 2014 23:31 To: owner-scientific-linux-us...@listserv.fnal.gov Cc: scientific-linux-users@fnal.gov Subject: Re: RHEL 7 just hit the market place, I'm looking forward to when we can start testing SL 7 On 10 June 2014 20:12, Steven Haigh <net...@crc.id.au <mailto:net...@crc.id.au> > wrote: On 11/06/14 12:07, Paul Robert Marino wrote: > Yes a lot of us noticed. > Recompiling an entire distro from scratch is not an easy proposition. > Furthermore they need to strip out all of the Red Hat branding. Expect > it to take a while at least a month or two if not more. I think it'll take longer than normal this time around... The build process is changing completely from previous versions. It seems the code is getting published on git.centos.org <http://git.centos.org> - but it seems nobody really knows who is putting it there. This leaves the moral quandary of 'do we all trust an anonymous source with no official ties to Red Hat?' Uh... that changed last summer when Red Hat became an official sponsor to CentOS. So not sure where the anonymous source thing is coming from. Time will tell. -- Stephen J Smoogen.
smime.p7s
Description: S/MIME cryptographic signature