On 11 Jun 2014, at 09:41, Steven Haigh <net...@crc.id.au> wrote: > On 11/06/14 17:24, Matthias Schroeder wrote: >> On 06/11/2014 04:12 AM, Steven Haigh wrote: >>> On 11/06/14 12:07, Paul Robert Marino wrote: >>>> Yes a lot of us noticed. >>>> Recompiling an entire distro from scratch is not an easy proposition. >>>> Furthermore they need to strip out all of the Red Hat branding. Expect >>>> it to take a while at least a month or two if not more. >>> >>> I think it'll take longer than normal this time around... The build >>> process is changing completely from previous versions. >> >> True, adapting the process to the new "supply chain" and source format >> will take a while. >> >>> It seems the code >>> is getting published on git.centos.org - but it seems nobody really >>> knows who is putting it there. >>> >>> This leaves the moral quandary of 'do we all trust an anonymous source >>> with no official ties to Red Hat?' >> >> http://ftp.redhat.com/redhat/linux/enterprise/7Server/en/os/README says >> >> "Current sources for Red Hat Enterprise Linux 7 have been moved to the >> following location: >> >> https://git.centos.org/project/rpms" >> >> Does this reduce your moral quandary a little? > > Not at all. There is no source for this data at all. Just spec files and > patches that have 'appeared'. > > The SRPMs provided by RedHat in the past are all signed by RedHat and > are VERY difficult if not impossible to tamper with. > > There is no method to authenticate that the files being dumped into > git.centos.org by an unknown source (hint: It isn't the CentOS guys > putting them there) are unmodified or even supplied by RedHat. > > This is the problem.
Ok, I see your point now. Seems I misinterpreted the ‘moral quandary’. Matthias > > -- > Steven Haigh > > Email: net...@crc.id.au > Web: http://www.crc.id.au > Phone: (03) 9001 6090 - 0412 935 897 > Fax: (03) 8338 0299 >