(not to want to stray further off the topic) but what does it matter if it doesn't come from Red Hat? You can see the source and decide whether or not to use it in your repository, just like the other bits that are added to SL that don't come from the current SRPMs.
? On Wed, Jun 11, 2014 at 4:42 AM, Matt Lewandowsky <m...@greenviolet.net> wrote: > Tom H, Sent: Wednesday, 11 June, 2014 01:33: > > AFAIC this pure FUD. > > > > In what way is the CentOS git less secure than other upstream git repos? > > > > Do you have an example of files being "dumped" into the CentOS git by > > non-CentOS uploaders? I've look at a few packages and I see > > kbsi...@karan.org (he's one of the main CentOS guys) and > > b...@centos.org. > > The problem, as I see it, is that the "b...@centos.org" commits come from > a > magic place that no one is sure of where it is. The commits are not GPG > signed, nor are they at all verifiable as originating with Red Hat. > > We're getting a bit off-topic for this list, but I see the following as a > solution to clarifying the current situation as I understand the reality to > be: > > 1) Have the commits come from a Red Hat email address (since they're > supposedly being pushed to the repo from Red Hat) as the committer. > > 2) Have the commits be GPG signed, with a way to verifiably trust the > signature. > > 3) Ensure git.centos.org is able to show signing information. > > This will result in a verifiable chain of the sources originating at Red > Hat, > and being reasonably sure of lack of tampering. However, it does add some > risk > to Red Hat as there is a degree of them certifying correctness. The "don't > trust" view is that *someone* needs to be able to put their name behind it > as > opposed to a faceless committer claiming to be the bug tracker. > > Personally, I don't care if kbsi...@karan.org commits are signed if he > doesn't > want them to be and I suspect almost every party interested in this > conversation would agree. It's his personal name on the line. The problem > is > the generic bug tracker address committing huge swaths of code of unknown > provenance. > > Again, this is just my view of the situation. I'm not trying to say whether > "trust" or "don't trust" is the correct answer. But I see both sides and I > want to help everyone also see both sides so they can be informed in their > replies instead of this rapidly degenerating into a mess of useless > speculation which can't be reconciled due to lack of facts. > > Matt > > -- > Matt Lewandowsky > Big Geek > Greenviolet > m...@greenviolet.net http://www.greenviolet.net > +1 415 578 5782 (US) +44 844 484 8254 (UK) > -- Thanks, Jamie Duncan @jamieeduncan
