Re: About CentOS forces...
On 12/17/2014 11:27 PM, Mark Stodola wrote: On 12/17/2014 04:25 PM, Fernando Andrés Muñoz Bravo wrote: I mean, if SL will become a CentOS variant or not. I think the answer to that is no. The SL team made a decision to continue to spin their own independent set of packages and not become an add-on repository to the CentOS build. Someone please correct me if I am wrong... -Mark ... and i'm glad for that! -- *Karel Lang* *Unix/Linux Administration* l...@afd.cz | +420 731 13 40 40 AUFEER DESIGN, s.r.o. | www.aufeerdesign.cz
Re: About CentOS forces...
Le 17/12/2014 23:27, Mark Stodola a écrit : I think the answer to that is no. The SL team made a decision to continue to spin their own independent set of packages and not become an add-on repository to the CentOS build. Someone please correct me if I am wrong... Yes, but the RHEL source srpms packages are now (RHEL 7) on a CentOS git repository, where RedHat put them, but without any signature to authentify them... https://git.centos.org/project/rpms See : http://lwn.net/Articles/603865/ So SL will rebuild the CentOS SRPMS (perhaps, certainly, not in the same way)... Alain -- Administrateur Système/Réseau Laboratoire de Photonique et Nanostructures (LPN/CNRS - UPR20) Centre de Recherche Alcatel Data IV - Marcoussis route de Nozay - 91460 Marcoussis Tel : 01-69-63-61-34
Re: About CentOS forces...
On Thu, Dec 18, 2014 at 7:44 AM, Alain Péan alain.p...@lpn.cnrs.fr wrote: Le 17/12/2014 23:27, Mark Stodola a écrit : I think the answer to that is no. The SL team made a decision to continue to spin their own independent set of packages and not become an add-on repository to the CentOS build. Someone please correct me if I am wrong... Yes, but the RHEL source srpms packages are now (RHEL 7) on a CentOS git repository, where RedHat put them, but without any signature to authentify them... https://git.centos.org/project/rpms See : http://lwn.net/Articles/603865/ So SL will rebuild the CentOS SRPMS (perhaps, certainly, not in the same way)... Alain It's a problem. The new git structure at git.centos.org, rather than directly using RHEL signed SRPM's, does create a provenance problem. They seem to hve been good about it, and some of their core members are now Red Hat employees, and this is now the official software channel, and that's all re-assuring. But there's a notable difference between here is the source tree which someone labeled as using the word 'import' in the git commit messages', and this is the signed SRPM that was built with mock or koji when I compiled the actual software, and which is signed with the same key at the same time. I've suggested using git tags, and GPG signatures on them instead, on several occasions. This would help ensure that the repo, and copies of the repo, are never edited and corrupted. Without that, the system is vulnerable to a man-in-the-middle attack with a signed, though fraudulent, SSL keys because SSL signature authorities have been compromised at least once that we know of. And the git.centos.org is secure and has an SSL key is irelevant if someone is cloning or rsyncing parts of it for local development. Ensuring that that particular part of the software is, in fact, what the main repository has is quite awkward and expensive in time and network resources. I'm actually fairly miffed at their insistence that oh, we'll denote which is the build version of the source code by interpreting git log messages in a unique way that no one else in the world does rather than using the built-in and GPG signable git tags.
About CentOS forces...
Hi guys... What about CentOS variant for SL?... Still planning, or this kind of merging will not apply? -- Fernando Andrés Muñoz Bravo *Tg.* Análisis y Desarollo de Sistemas de Información Linux user #487547
Re: About CentOS forces...
I mean, if SL will become a CentOS variant or not. On Wed, Dec 17, 2014 at 5:18 PM, Stephen John Smoogen smo...@gmail.com wrote: On 17 December 2014 at 14:49, Fernando Andrés Muñoz Bravo wasp...@gmail.com wrote: Hi guys... What about CentOS variant for SL?... Still planning, or this kind of merging will not apply? I think it is going to take a lot more context for anyone to understand what you are meaning. -- Fernando Andrés Muñoz Bravo *Tg.* Análisis y Desarollo de Sistemas de Información Linux user #487547 -- Stephen J Smoogen. -- Fernando Andrés Muñoz Bravo *Tg.* Análisis y Desarollo de Sistemas de Información Linux user #487547
Re: About CentOS forces...
--use-the-force-luke On Dec 17, 2014 5:18 PM, Stephen John Smoogen smo...@gmail.com wrote: On 17 December 2014 at 14:49, Fernando Andrés Muñoz Bravo wasp...@gmail.com wrote: Hi guys... What about CentOS variant for SL?... Still planning, or this kind of merging will not apply? I think it is going to take a lot more context for anyone to understand what you are meaning. -- Fernando Andrés Muñoz Bravo *Tg.* Análisis y Desarollo de Sistemas de Información Linux user #487547 -- Stephen J Smoogen.
Re: About CentOS forces...
On 12/17/2014 04:25 PM, Fernando Andrés Muñoz Bravo wrote: I mean, if SL will become a CentOS variant or not. On Wed, Dec 17, 2014 at 5:18 PM, Stephen John Smoogen smo...@gmail.com mailto:smo...@gmail.com wrote: On 17 December 2014 at 14:49, Fernando Andrés Muñoz Bravo wasp...@gmail.com mailto:wasp...@gmail.com wrote: Hi guys... What about CentOS variant for SL?... Still planning, or this kind of merging will not apply? I think it is going to take a lot more context for anyone to understand what you are meaning. -- Fernando Andrés Muñoz Bravo *Tg.* Análisis y Desarollo de Sistemas de Información Linux user #487547 -- Stephen J Smoogen. -- Fernando Andrés Muñoz Bravo *Tg.* Análisis y Desarollo de Sistemas de Información Linux user #487547 I think the answer to that is no. The SL team made a decision to continue to spin their own independent set of packages and not become an add-on repository to the CentOS build. Someone please correct me if I am wrong... -Mark
