Re: RHEL 7 just hit the market place, I'm looking forward to when we can start testing SL 7
On Fri, Jun 13, 2014 at 7:46 PM, Jamie Duncan jamie.e.dun...@gmail.com wrote: On Fri, Jun 13, 2014 at 9:38 PM, Patrick J. LoPresti lopre...@gmail.com wrote: On Fri, Jun 13, 2014 at 6:31 PM, Akemi Yagi amy...@gmail.com wrote: Just wanted to make a short note to say that source DVDs are available to RH customers. If they're not released to the public, they are almost guaranteed to be encumbered in a manner similar to the binary RPMs, which would make that illegal. I haven't looked for changes to the EULA with RHEL7 yet, but I would imagine they took care of it. You might want to follow this RH bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1109401 SRPMs no longer available Akemi
Re: RHEL 7 just hit the market place, I'm looking forward to when we can start testing SL 7
On Thu, Jun 12, 2014 at 6:28 PM, Yasha Karant ykar...@csusb.edu wrote: I have the following, possibly silly, question to post. As I understand it, access to the git repositories meets TUV linux/GPL requirements for release of the source. Nonetheless, the realities are that it is easier to build from the actual SRPMs that TUV uses. These are not to be released by TUV. Presumably, CentOS, as what amounts to an owned subsidiary of Red Hat, uses SRPMs and the like to build CentOS internally -- or has a very extensive tool set for the git repositories. My guess is that both TUV and CentOS construct SRPMs from the git repositories to build the respective distributions. Hence, there most likely are (must be) tools/utilities that create from the git repositories a compatible coherent set of SRPMs. Can the SL groups either get those tools from CentOS or can these tools be recreated? For a system as complex as EL, any modern version of a build environment uses automation -- tools. Yasha Karant On 06/11/2014 05:15 PM, Nico Kadel-Garcia wrote: On Wed, Jun 11, 2014 at 1:10 PM, Yasha Karant ykar...@csusb.edu wrote: I have been following this thread as we will be transitioning to EL7 as it becomes available from SL. From the Red Hat CentOS web site: This is amazingly helpful. In the past I’ve spent an enormous amount of time trying to figure out the appropriate compile options to get newer versions of software working, and wishing that CentOS had something like Arch’s ABS – now you do. Access to the git resources of the Red Hat published packages is irrelevant to the build environment. That material is all available in the SRPM's. It's the mock and relevant toolchains, used to build the hierarchy of critical depdneencies to be able to run mock and build the other components, that is still unpublished. End CentoOS infomercial. What is the reality of the above -- yes, I have read this SL thread in so far as it has appeared in my inbox to date. Is this truly amazingly helpful or is this to be a major impediment? Will it only cause some users to change their workflows a bit, or is this a much, much larger than a bit change? The answer to this question must come from the actual SL porting team(s), presumably at Fermilab and CERN, and as farmed out to those directly working with the Fermilab/CERN porting/support groups. Yasha Karant There are trade offs. A git history of the changes needed to compile foe CentOS is potentially useful, A lack of canonical this tag from is from RHEL, the other stuff is all from CentOS is likely to create confusion about which bits were published or added by whom. If Scientific Linux is going to built from RHEL and add its unique features, rather than rely on CentOS as an immediate upstream, this is going to need attention. It's going to be especially awkward if they elect not to publish GPG signed tags to go with the particular software updates. I'm staring at ftp://ftp.redhat.com/redhat/linux/enterprise/7Server/en/os/README, which says that the FTP repository for RHEL SRPM mirrors will no longer be available. This is going to make manipulating roughly 3000 distinct git repositories instead of one bulky SRPM directory rather critical. And git has no way to report the list of all the git repositories on this server, they're all considered unique. Instead that eye-stabbing interface at http://git.centos.org/ will have to be parsed to extract the list of actual repositories, many components of which may be renamed or discarded in future RHEL 7 releases. This is going to be a lot of work. On 06/10/2014 05:11 PM, Nico Kadel-Garcia wrote: I'm staring at http://www.redhat.com/about/news/press-archive/2014/6/red-hat-unveils-rhel-7, Looks like we can start testing trying to build it. Is there anything I can do to help? From http://lists.centos.org/pipermail/centos-devel/2014-June/010573.html We do not have any of the SRPMs either, just the git repo. We have to check out the tree and assemble the SRPMs from git to build them. What you see on git.centos.org is all we have too. And http://wiki.centos.org/Sources has an example of how CentOS builds rpms. But keeping track of the updates to every package is going to be interesting unless there a git tool for this or CentOS publishes an rss feed.
Re: RHEL 7 just hit the market place, I'm looking forward to when we can start testing SL 7
On 10 June 2014 20:12, Steven Haigh net...@crc.id.au wrote: On 11/06/14 12:07, Paul Robert Marino wrote: Yes a lot of us noticed. Recompiling an entire distro from scratch is not an easy proposition. Furthermore they need to strip out all of the Red Hat branding. Expect it to take a while at least a month or two if not more. I think it'll take longer than normal this time around... The build process is changing completely from previous versions. It seems the code is getting published on git.centos.org - but it seems nobody really knows who is putting it there. This leaves the moral quandary of 'do we all trust an anonymous source with no official ties to Red Hat?' Uh... that changed last summer when Red Hat became an official sponsor to CentOS. So not sure where the anonymous source thing is coming from. Time will tell. -- Stephen J Smoogen.
Re: RHEL 7 just hit the market place, I'm looking forward to when we can start testing SL 7
On 06/11/2014 04:12 AM, Steven Haigh wrote: On 11/06/14 12:07, Paul Robert Marino wrote: Yes a lot of us noticed. Recompiling an entire distro from scratch is not an easy proposition. Furthermore they need to strip out all of the Red Hat branding. Expect it to take a while at least a month or two if not more. I think it'll take longer than normal this time around... The build process is changing completely from previous versions. True, adapting the process to the new supply chain and source format will take a while. It seems the code is getting published on git.centos.org - but it seems nobody really knows who is putting it there. This leaves the moral quandary of 'do we all trust an anonymous source with no official ties to Red Hat?' http://ftp.redhat.com/redhat/linux/enterprise/7Server/en/os/README says Current sources for Red Hat Enterprise Linux 7 have been moved to the following location: https://git.centos.org/project/rpms; Does this reduce your moral quandary a little? Matthias Time will tell.
Re: RHEL 7 just hit the market place, I'm looking forward to when we can start testing SL 7
On 11/06/14 17:24, Matthias Schroeder wrote: On 06/11/2014 04:12 AM, Steven Haigh wrote: On 11/06/14 12:07, Paul Robert Marino wrote: Yes a lot of us noticed. Recompiling an entire distro from scratch is not an easy proposition. Furthermore they need to strip out all of the Red Hat branding. Expect it to take a while at least a month or two if not more. I think it'll take longer than normal this time around... The build process is changing completely from previous versions. True, adapting the process to the new supply chain and source format will take a while. It seems the code is getting published on git.centos.org - but it seems nobody really knows who is putting it there. This leaves the moral quandary of 'do we all trust an anonymous source with no official ties to Red Hat?' http://ftp.redhat.com/redhat/linux/enterprise/7Server/en/os/README says Current sources for Red Hat Enterprise Linux 7 have been moved to the following location: https://git.centos.org/project/rpms; Does this reduce your moral quandary a little? Not at all. There is no source for this data at all. Just spec files and patches that have 'appeared'. The SRPMs provided by RedHat in the past are all signed by RedHat and are VERY difficult if not impossible to tamper with. There is no method to authenticate that the files being dumped into git.centos.org by an unknown source (hint: It isn't the CentOS guys putting them there) are unmodified or even supplied by RedHat. This is the problem. -- Steven Haigh Email: net...@crc.id.au Web: http://www.crc.id.au Phone: (03) 9001 6090 - 0412 935 897 Fax: (03) 8338 0299 signature.asc Description: OpenPGP digital signature
Re: RHEL 7 just hit the market place, I'm looking forward to when we can start testing SL 7
On Wed, Jun 11, 2014 at 3:41 AM, Steven Haigh net...@crc.id.au wrote: On 11/06/14 17:24, Matthias Schroeder wrote: On 06/11/2014 04:12 AM, Steven Haigh wrote: On 11/06/14 12:07, Paul Robert Marino wrote: Yes a lot of us noticed. Recompiling an entire distro from scratch is not an easy proposition. Furthermore they need to strip out all of the Red Hat branding. Expect it to take a while at least a month or two if not more. I think it'll take longer than normal this time around... The build process is changing completely from previous versions. True, adapting the process to the new supply chain and source format will take a while. It seems the code is getting published on git.centos.org - but it seems nobody really knows who is putting it there. This leaves the moral quandary of 'do we all trust an anonymous source with no official ties to Red Hat?' http://ftp.redhat.com/redhat/linux/enterprise/7Server/en/os/README says Current sources for Red Hat Enterprise Linux 7 have been moved to the following location: https://git.centos.org/project/rpms; Does this reduce your moral quandary a little? Not at all. There is no source for this data at all. Just spec files and patches that have 'appeared'. The SRPMs provided by RedHat in the past are all signed by RedHat and are VERY difficult if not impossible to tamper with. There is no method to authenticate that the files being dumped into git.centos.org by an unknown source (hint: It isn't the CentOS guys putting them there) are unmodified or even supplied by RedHat. This is the problem. AFAIC this pure FUD. In what way is the CentOS git less secure than other upstream git repos? Do you have an example of files being dumped into the CentOS git by non-CentOS uploaders? I've look at a few packages and I see kbsi...@karan.org (he's one of the main CentOS guys) and b...@centos.org.
RE: RHEL 7 just hit the market place, I'm looking forward to when we can start testing SL 7
Tom H, Sent: Wednesday, 11 June, 2014 01:33: AFAIC this pure FUD. In what way is the CentOS git less secure than other upstream git repos? Do you have an example of files being dumped into the CentOS git by non-CentOS uploaders? I've look at a few packages and I see kbsi...@karan.org (he's one of the main CentOS guys) and b...@centos.org. The problem, as I see it, is that the b...@centos.org commits come from a magic place that no one is sure of where it is. The commits are not GPG signed, nor are they at all verifiable as originating with Red Hat. We're getting a bit off-topic for this list, but I see the following as a solution to clarifying the current situation as I understand the reality to be: 1) Have the commits come from a Red Hat email address (since they're supposedly being pushed to the repo from Red Hat) as the committer. 2) Have the commits be GPG signed, with a way to verifiably trust the signature. 3) Ensure git.centos.org is able to show signing information. This will result in a verifiable chain of the sources originating at Red Hat, and being reasonably sure of lack of tampering. However, it does add some risk to Red Hat as there is a degree of them certifying correctness. The don't trust view is that *someone* needs to be able to put their name behind it as opposed to a faceless committer claiming to be the bug tracker. Personally, I don't care if kbsi...@karan.org commits are signed if he doesn't want them to be and I suspect almost every party interested in this conversation would agree. It's his personal name on the line. The problem is the generic bug tracker address committing huge swaths of code of unknown provenance. Again, this is just my view of the situation. I'm not trying to say whether trust or don't trust is the correct answer. But I see both sides and I want to help everyone also see both sides so they can be informed in their replies instead of this rapidly degenerating into a mess of useless speculation which can't be reconciled due to lack of facts. Matt -- Matt Lewandowsky Big Geek Greenviolet m...@greenviolet.net http://www.greenviolet.net +1 415 578 5782 (US) +44 844 484 8254 (UK) smime.p7s Description: S/MIME cryptographic signature
Re: RHEL 7 just hit the market place, I'm looking forward to when we can start testing SL 7
On 11 Jun 2014, at 09:41, Steven Haigh net...@crc.id.au wrote: On 11/06/14 17:24, Matthias Schroeder wrote: On 06/11/2014 04:12 AM, Steven Haigh wrote: On 11/06/14 12:07, Paul Robert Marino wrote: Yes a lot of us noticed. Recompiling an entire distro from scratch is not an easy proposition. Furthermore they need to strip out all of the Red Hat branding. Expect it to take a while at least a month or two if not more. I think it'll take longer than normal this time around... The build process is changing completely from previous versions. True, adapting the process to the new supply chain and source format will take a while. It seems the code is getting published on git.centos.org - but it seems nobody really knows who is putting it there. This leaves the moral quandary of 'do we all trust an anonymous source with no official ties to Red Hat?' http://ftp.redhat.com/redhat/linux/enterprise/7Server/en/os/README says Current sources for Red Hat Enterprise Linux 7 have been moved to the following location: https://git.centos.org/project/rpms; Does this reduce your moral quandary a little? Not at all. There is no source for this data at all. Just spec files and patches that have 'appeared'. The SRPMs provided by RedHat in the past are all signed by RedHat and are VERY difficult if not impossible to tamper with. There is no method to authenticate that the files being dumped into git.centos.org by an unknown source (hint: It isn't the CentOS guys putting them there) are unmodified or even supplied by RedHat. This is the problem. Ok, I see your point now. Seems I misinterpreted the ‘moral quandary’. Matthias -- Steven Haigh Email: net...@crc.id.au Web: http://www.crc.id.au Phone: (03) 9001 6090 - 0412 935 897 Fax: (03) 8338 0299
Re: RHEL 7 just hit the market place, I'm looking forward to when we can start testing SL 7
On Wed, Jun 11, 2014 at 5:21 AM, Steven Haigh net...@crc.id.au wrote: I have no doubt that something will come of it - watch this space. When it does happen, we all win. Cool. We didn't have visibility into the git history of RHEL source code before, so the visibility into the git history of CentOS as a the published open source and free software for Red Hat is an interesting change. But yes, I do understand your concern about provenance. Looking at it, my concern is that there's not a graceful way to get a list of all the git repos for actual packages published, only a web interface, and the distinction between CentOS packages and RHEL published packages is unclear. That's quite distinct from a directory full of SRPM's that can be listed and parsed from a canonical web directory and yum repository. I'm also afraid that the web interface at git.centos.org is making my eyes bleed.
Re: RHEL 7 just hit the market place, I'm looking forward to when we can start testing SL 7
On 11/06/14 12:07, Paul Robert Marino wrote: Yes a lot of us noticed. Recompiling an entire distro from scratch is not an easy proposition. Furthermore they need to strip out all of the Red Hat branding. Expect it to take a while at least a month or two if not more. I think it'll take longer than normal this time around... The build process is changing completely from previous versions. It seems the code is getting published on git.centos.org - but it seems nobody really knows who is putting it there. This leaves the moral quandary of 'do we all trust an anonymous source with no official ties to Red Hat?' Time will tell. -- Steven Haigh Email: net...@crc.id.au Web: http://www.crc.id.au Phone: (03) 9001 6090 - 0412 935 897 Fax: (03) 8338 0299 signature.asc Description: OpenPGP digital signature
