Morning, folks. Happy July 4th.
I'm hopping back onto centos-devel to raise some concerns about git.centos.org components. Overall it's working. There are things I don't like, but as things stand that's *my* problem. These issues, however, affect others, and I don't see a good bugzilla mentioned at git.centos.org itself.
1) Many repositories are being listed with excessive "/" in their names. It messes up alphabetization and can get quite confusing.
rpms/docker, for example, is listed as "https://git.centos.org/summary/?r=////rpms/docker.git"
2) The "show_possible_srpms.sh" script relies on checking for the word "import" in the git logs to determine SRPM versions, embedded in the git logs themselves. This raises the risk of *any* commit that uses that word for other reasons to report an invalid SRPM version number. As much as I dislike relying on a git log rather than a signed tag to do a build, please, refine this script to at least grep more carefully for 'import' as the leading word, and ideally sanity check the rest of the import line for the SRPM number.
Obligatory XKCD comic about sanitizing inputs: http://xkcd.com/327/
3) Anyone who attempts to replicate any of the git repositories for improved local access is at risk of corruption or the embedding of trojans in the local repository, due to the lack of GPG signed tags or similar verification of the contents. I realize that the use of the "package.medata" information provides git commit hash tags, which help verification, but that data *itself* can be reset in a trojaned local git repository.
Please consider the use of signed GPG tags for actual SRPM updates, rather than merely relying on '[package].metadata, to help assure provenance for people who may test or rebuild security components.
Thanks for the attention: I'll stick around for a while, to try and pay back the support for others working with this.
Nico Kadel-Garcia nkadel@gmail.com