On 07/07/2014 07:18 AM, Chris St. Pierre wrote:
On Mon, Jul 7, 2014 at 6:22 AM, Nico Kadel-Garcia <nkadel@gmail.com mailto:nkadel@gmail.com> wrote:
And you folks at git.centos.org <http://git.centos.org> and the CentOS core developer group, I have some confidence in. Certainly Red Hat does, they hired a bunch of you. The result is that I assume you have good access from which you are building your imported git.centos.org <http://git.centos.org> sources, either direct git exports from Red Hat's internal git repos or a full feed Red Hat subscription to work the SRPM's from. I'm actually quite curious which you use, I don't see anything at git.centos.org <http://git.centos.org> to indicate. Either way, though, I have some confidence in *your* access to upstream resources.
This is where I've been trying to tell you you're wrong. They've made it clear that they use git.centos.org http://git.centos.org, just like the rest of us. The name on their paycheck doesn't make them special in this regard. The domain in their email address doesn't make them special in this regard. They are subject to the same limitations that we are, which is why asking *them* to certify that sources they *only consume* is pure folly.
This is correct in one sense, we do indeed consume git.centos.org, like everyone else. We do NOT have access to the machine(s) where the commits are made from (where the SRPMs become a git tree), that is done by upstream. There is a purposeful isolation between the resources of the CentOS team and the RHEL team.
We do know that things that show up on git.centos.org came from a specific ip address, used a specific key/user combination from that ipaddress to deliver the content on git.centos.org .. so we know where it originated from. (If they are imported by the upstream user), so we have confidence that content is authentic (as in; it came from upstream).
So, the authenticity of the code is not in question .. it is provided by upstream or by the person listed in the git log. (for content that is not from upstream, ie the scripts in centos-git.common).
Four CentOS core members work for upstream. That does *not* make CentOS upstream.
This is absolutely true ... we (the 4 people hired by Red Hat that produce CentOS) do not work from anywhere we did not work before we were hired by Red Hat (we all work from home on CentOS, then and now). Nor do we have any access to any resources or information that the RHEL team at Red Hat does not make public. We also do not have access to any code going into CentOS before it shows up on git.centos.org.
The process on our end has not changed, other than where we get the code from.
All of this stolen CA's to make an SSL certificate that looks valid to a user who uses git.centos.org, then targeting that user's DNS to make them download bad code from git.centos.org so that they can then inject code, while theoretically possible, is silly.
Besides, Red Hat provides source code to their Customers via RHN in SRPM form. They provide the expanded Code to the community via git.centos.org.
If you want to validate the code is the same, then subscribe to RHEL and do your own comparison.
RHEL is RHEL and CentOS is CentOS .. use CentOS if you want CentOS .. Use RHEL if you want RHEL ... and if you are another rebuilder, and if you don't want to use git.centos.org, then talk to and sign an agreement with Red Hat to do something else. All the rest of this is just silly.