On Wed, Sep 3, 2014 at 4:33 AM, Andreas Mock <andreas.m...@drumedar.de> wrote: > Hi Pat, hi Patrick, > > thanks for your answers and comments. > > How would someone like me get a SRPM for a binary package found or installed > on > a SL 7.0 system? > > I really don't understand in the moment how it is verified that sources are > from > RH and unaltered by someone in between. > > Best regards > Andreas Mock
Our favorite upstream vendor signs the SRPM's and RPM's with GPG signatures, whicih can be verified from their public websites and their installation media. So do CentOS and Scientifici Linux. Now, if I could just convince our new upstream software friends over at git.centos.org to use GPG signatures for git tags, I'd be much happier about the provenance of software in that new public repository. I'd be even happier if the person from Red Hat who uploads the original source code from Red Hat would GPG sign a tag for *just that code* with a Red Hat key, and our CentOS maintainers (some of whom are now Red Hat employees!) could GPG sign tags for CentOS modified software. But I'd be thrilled to pieces if they'd even affix a CentOS tg to the Red HAt uploaded content, just for the provenance concerns I've already raised. Sadly, my concerns about provenance have been ignored, and now the existing Scientific Linux development from git.centos.org is being held up as proof that git tags are not desirable and my concerns ill founded. It's quite galling: the current semi-manual re-assembly of local branches, based on "git log" entries, is winding up lauded as sufficient and superior because, frankly, it's the only thing that's currently supported. It's really quite galling. I've gotten quite put out with every sys-admin in the world thinking they can re-invent the wheel, and coming up with their own mismatched wheels, to replace what are well designed software features like git 'tags'.
