Re: RHEL 7 just hit the market place, I'm looking forward to when we can start testing SL 7
On 10 June 2014 20:12, Steven Haigh net...@crc.id.au wrote: On 11/06/14 12:07, Paul Robert Marino wrote: Yes a lot of us noticed. Recompiling an entire distro from scratch is not an easy proposition. Furthermore they need to strip out all of the Red Hat branding. Expect it to take a while at least a month or two if not more. I think it'll take longer than normal this time around... The build process is changing completely from previous versions. It seems the code is getting published on git.centos.org - but it seems nobody really knows who is putting it there. This leaves the moral quandary of 'do we all trust an anonymous source with no official ties to Red Hat?' Uh... that changed last summer when Red Hat became an official sponsor to CentOS. So not sure where the anonymous source thing is coming from. Time will tell. -- Stephen J Smoogen.
Re: RHEL 7 just hit the market place, I'm looking forward to when we can start testing SL 7
On 06/11/2014 04:12 AM, Steven Haigh wrote: On 11/06/14 12:07, Paul Robert Marino wrote: Yes a lot of us noticed. Recompiling an entire distro from scratch is not an easy proposition. Furthermore they need to strip out all of the Red Hat branding. Expect it to take a while at least a month or two if not more. I think it'll take longer than normal this time around... The build process is changing completely from previous versions. True, adapting the process to the new supply chain and source format will take a while. It seems the code is getting published on git.centos.org - but it seems nobody really knows who is putting it there. This leaves the moral quandary of 'do we all trust an anonymous source with no official ties to Red Hat?' http://ftp.redhat.com/redhat/linux/enterprise/7Server/en/os/README says Current sources for Red Hat Enterprise Linux 7 have been moved to the following location: https://git.centos.org/project/rpms; Does this reduce your moral quandary a little? Matthias Time will tell.
Re: RHEL 7 just hit the market place, I'm looking forward to when we can start testing SL 7
On 11/06/14 17:24, Matthias Schroeder wrote: On 06/11/2014 04:12 AM, Steven Haigh wrote: On 11/06/14 12:07, Paul Robert Marino wrote: Yes a lot of us noticed. Recompiling an entire distro from scratch is not an easy proposition. Furthermore they need to strip out all of the Red Hat branding. Expect it to take a while at least a month or two if not more. I think it'll take longer than normal this time around... The build process is changing completely from previous versions. True, adapting the process to the new supply chain and source format will take a while. It seems the code is getting published on git.centos.org - but it seems nobody really knows who is putting it there. This leaves the moral quandary of 'do we all trust an anonymous source with no official ties to Red Hat?' http://ftp.redhat.com/redhat/linux/enterprise/7Server/en/os/README says Current sources for Red Hat Enterprise Linux 7 have been moved to the following location: https://git.centos.org/project/rpms; Does this reduce your moral quandary a little? Not at all. There is no source for this data at all. Just spec files and patches that have 'appeared'. The SRPMs provided by RedHat in the past are all signed by RedHat and are VERY difficult if not impossible to tamper with. There is no method to authenticate that the files being dumped into git.centos.org by an unknown source (hint: It isn't the CentOS guys putting them there) are unmodified or even supplied by RedHat. This is the problem. -- Steven Haigh Email: net...@crc.id.au Web: http://www.crc.id.au Phone: (03) 9001 6090 - 0412 935 897 Fax: (03) 8338 0299 signature.asc Description: OpenPGP digital signature
Re: RHEL 7 just hit the market place, I'm looking forward to when we can start testing SL 7
On Wed, Jun 11, 2014 at 3:41 AM, Steven Haigh net...@crc.id.au wrote: On 11/06/14 17:24, Matthias Schroeder wrote: On 06/11/2014 04:12 AM, Steven Haigh wrote: On 11/06/14 12:07, Paul Robert Marino wrote: Yes a lot of us noticed. Recompiling an entire distro from scratch is not an easy proposition. Furthermore they need to strip out all of the Red Hat branding. Expect it to take a while at least a month or two if not more. I think it'll take longer than normal this time around... The build process is changing completely from previous versions. True, adapting the process to the new supply chain and source format will take a while. It seems the code is getting published on git.centos.org - but it seems nobody really knows who is putting it there. This leaves the moral quandary of 'do we all trust an anonymous source with no official ties to Red Hat?' http://ftp.redhat.com/redhat/linux/enterprise/7Server/en/os/README says Current sources for Red Hat Enterprise Linux 7 have been moved to the following location: https://git.centos.org/project/rpms; Does this reduce your moral quandary a little? Not at all. There is no source for this data at all. Just spec files and patches that have 'appeared'. The SRPMs provided by RedHat in the past are all signed by RedHat and are VERY difficult if not impossible to tamper with. There is no method to authenticate that the files being dumped into git.centos.org by an unknown source (hint: It isn't the CentOS guys putting them there) are unmodified or even supplied by RedHat. This is the problem. AFAIC this pure FUD. In what way is the CentOS git less secure than other upstream git repos? Do you have an example of files being dumped into the CentOS git by non-CentOS uploaders? I've look at a few packages and I see kbsi...@karan.org (he's one of the main CentOS guys) and b...@centos.org.
RE: RHEL 7 just hit the market place, I'm looking forward to when we can start testing SL 7
Tom H, Sent: Wednesday, 11 June, 2014 01:33: AFAIC this pure FUD. In what way is the CentOS git less secure than other upstream git repos? Do you have an example of files being dumped into the CentOS git by non-CentOS uploaders? I've look at a few packages and I see kbsi...@karan.org (he's one of the main CentOS guys) and b...@centos.org. The problem, as I see it, is that the b...@centos.org commits come from a magic place that no one is sure of where it is. The commits are not GPG signed, nor are they at all verifiable as originating with Red Hat. We're getting a bit off-topic for this list, but I see the following as a solution to clarifying the current situation as I understand the reality to be: 1) Have the commits come from a Red Hat email address (since they're supposedly being pushed to the repo from Red Hat) as the committer. 2) Have the commits be GPG signed, with a way to verifiably trust the signature. 3) Ensure git.centos.org is able to show signing information. This will result in a verifiable chain of the sources originating at Red Hat, and being reasonably sure of lack of tampering. However, it does add some risk to Red Hat as there is a degree of them certifying correctness. The don't trust view is that *someone* needs to be able to put their name behind it as opposed to a faceless committer claiming to be the bug tracker. Personally, I don't care if kbsi...@karan.org commits are signed if he doesn't want them to be and I suspect almost every party interested in this conversation would agree. It's his personal name on the line. The problem is the generic bug tracker address committing huge swaths of code of unknown provenance. Again, this is just my view of the situation. I'm not trying to say whether trust or don't trust is the correct answer. But I see both sides and I want to help everyone also see both sides so they can be informed in their replies instead of this rapidly degenerating into a mess of useless speculation which can't be reconciled due to lack of facts. Matt -- Matt Lewandowsky Big Geek Greenviolet m...@greenviolet.net http://www.greenviolet.net +1 415 578 5782 (US) +44 844 484 8254 (UK) smime.p7s Description: S/MIME cryptographic signature
Re: RHEL 7 just hit the market place, I'm looking forward to when we can start testing SL 7
On 11 Jun 2014, at 09:41, Steven Haigh net...@crc.id.au wrote: On 11/06/14 17:24, Matthias Schroeder wrote: On 06/11/2014 04:12 AM, Steven Haigh wrote: On 11/06/14 12:07, Paul Robert Marino wrote: Yes a lot of us noticed. Recompiling an entire distro from scratch is not an easy proposition. Furthermore they need to strip out all of the Red Hat branding. Expect it to take a while at least a month or two if not more. I think it'll take longer than normal this time around... The build process is changing completely from previous versions. True, adapting the process to the new supply chain and source format will take a while. It seems the code is getting published on git.centos.org - but it seems nobody really knows who is putting it there. This leaves the moral quandary of 'do we all trust an anonymous source with no official ties to Red Hat?' http://ftp.redhat.com/redhat/linux/enterprise/7Server/en/os/README says Current sources for Red Hat Enterprise Linux 7 have been moved to the following location: https://git.centos.org/project/rpms; Does this reduce your moral quandary a little? Not at all. There is no source for this data at all. Just spec files and patches that have 'appeared'. The SRPMs provided by RedHat in the past are all signed by RedHat and are VERY difficult if not impossible to tamper with. There is no method to authenticate that the files being dumped into git.centos.org by an unknown source (hint: It isn't the CentOS guys putting them there) are unmodified or even supplied by RedHat. This is the problem. Ok, I see your point now. Seems I misinterpreted the ‘moral quandary’. Matthias -- Steven Haigh Email: net...@crc.id.au Web: http://www.crc.id.au Phone: (03) 9001 6090 - 0412 935 897 Fax: (03) 8338 0299
Re: RHEL 7 just hit the market place, I'm looking forward to when we can start testing SL 7
On Wed, Jun 11, 2014 at 5:21 AM, Steven Haigh net...@crc.id.au wrote: I have no doubt that something will come of it - watch this space. When it does happen, we all win. Cool. We didn't have visibility into the git history of RHEL source code before, so the visibility into the git history of CentOS as a the published open source and free software for Red Hat is an interesting change. But yes, I do understand your concern about provenance. Looking at it, my concern is that there's not a graceful way to get a list of all the git repos for actual packages published, only a web interface, and the distinction between CentOS packages and RHEL published packages is unclear. That's quite distinct from a directory full of SRPM's that can be listed and parsed from a canonical web directory and yum repository. I'm also afraid that the web interface at git.centos.org is making my eyes bleed.
