On Sat, Aug 9, 2014 at 6:10 PM, Karanbir Singh mail-lists@karan.org wrote:
the idea that since git is distributed someone else will have a copy - atleast the last person to send the last commit will have a good copy is best ignored.
just going by history, when large git infra has gone offline - so has most code that was contained inside it.
Not at all. People pull from each other's repositories, especially from their branches, all the time in collaborative work. As things stand, the only way to verify the content is to pull from and compare to the upstream, secured repository, and it's going to be offline for a while.
The window of vulnerability for this particular instance is, thankfully, short But "most code has gone offline" is irrelevant to my concern. It's the potential for confusion, or abuse, and the lack of provenance for offsite clones that concerns me. While git.centos.org is offline, the much-relied-on security of that site itself is quite useless to any developers working rom their own or on each other's repositories.