On Sun, Jun 22, 2014 at 4:42 PM, Mark Rousell <markrlon...@hotmail.co.uk> wrote: > I've been following the discussions on this list about the changes in RHEL's > source availability and I'd like to confirm my understanding of the current > situation. > > Someone on another mail list made this comment: > > RedHat have said that they'll not be releasing source RPMs any more, > so > the response by the Scientific Linux people has more or less been > "Either use CentOS or our very own re-packaged CentOS thingie". > > This is incorrect (in terms of both statements that it makes), isn't it. > > > Here is my current understanding. Please feel free to correct or confirm:- > > 1) RH now makes SRPMs available only to customers (but SRPMs are nevertheless > still available on those terms). > > 2) The RHEL source is publicly also available on git.centos.org. > > 3) But it is not *absolutely* crystal clear what on git.centos.org is pure > unadulterated RHEL source and what is CentOS source. > > 4) The SL project is writing tools to automatically extract RHEL source from > git.centos.org. > > 5) SL7 will therefore be based on RHEL7 and definitely not on CentOS. > > 6) Anything I've forgotten? > > > Thanks to anyone who can help with this.
Step 4 is not reliable, and may cause profound problems, without step 3. Without verifiable GPG signed tags, in fact, a malicious proxy could use any of the stolen SSL root certificates, sign a forged 'git.centos.org' SSL signature, and interprose their trojan software burdened git repository. Moving away from the public SRPM's is burdensome to rebuilders other than CentOS, at least without those steps.
