Tom H, Sent: Wednesday, 11 June, 2014 01:33: > AFAIC this pure FUD. > > In what way is the CentOS git less secure than other upstream git repos? > > Do you have an example of files being "dumped" into the CentOS git by > non-CentOS uploaders? I've look at a few packages and I see > kbsi...@karan.org (he's one of the main CentOS guys) and > b...@centos.org.
The problem, as I see it, is that the "b...@centos.org" commits come from a magic place that no one is sure of where it is. The commits are not GPG signed, nor are they at all verifiable as originating with Red Hat. We're getting a bit off-topic for this list, but I see the following as a solution to clarifying the current situation as I understand the reality to be: 1) Have the commits come from a Red Hat email address (since they're supposedly being pushed to the repo from Red Hat) as the committer. 2) Have the commits be GPG signed, with a way to verifiably trust the signature. 3) Ensure git.centos.org is able to show signing information. This will result in a verifiable chain of the sources originating at Red Hat, and being reasonably sure of lack of tampering. However, it does add some risk to Red Hat as there is a degree of them certifying correctness. The "don't trust" view is that *someone* needs to be able to put their name behind it as opposed to a faceless committer claiming to be the bug tracker. Personally, I don't care if kbsi...@karan.org commits are signed if he doesn't want them to be and I suspect almost every party interested in this conversation would agree. It's his personal name on the line. The problem is the generic bug tracker address committing huge swaths of code of unknown provenance. Again, this is just my view of the situation. I'm not trying to say whether "trust" or "don't trust" is the correct answer. But I see both sides and I want to help everyone also see both sides so they can be informed in their replies instead of this rapidly degenerating into a mess of useless speculation which can't be reconciled due to lack of facts. Matt -- Matt Lewandowsky Big Geek Greenviolet m...@greenviolet.net http://www.greenviolet.net +1 415 578 5782 (US) +44 844 484 8254 (UK)
smime.p7s
Description: S/MIME cryptographic signature
