On 08/27/2014 09:32 PM, Nico Kadel-Garcia wrote:
On Wed, Aug 27, 2014 at 7:28 AM, Johnny Hughes johnny@centos.org wrote:
Not when the metadata is poisoned by a trojaned merge. Git logs can be edited. Without the GPG sums, it's like a web mirror that has a pack of RPM's with a pack of checksums alongside them. The owner of the mirror, or a cracker attacking the host, can corrupt *both*, and without the GPG tag, it's hard to get provenance.
And *that* is one of the points where having a GPG signed tag, especially one tied to the contents of the SRPM builds, becomes a a useful tool for verifying provenance of the tree. You can't rely on a binary comparison, there's likely to be frequent skew between the rsync mirrors and the main repo as a matter of course.
Red Hat does not want to provide us a gpg signed tag, so therefore we will not be getting one. No reason to keep bringing it up. Its not happening ant time soon.
I'm confused by this. What does Red Hat, at least the core business, have to do with this? You have a GPG key you use for making RPM's and SRPM's, why shouldn't or couldn't you use the same key to create git tags? This would be for tags for *your* work, and possibly for when you import Red Hat source.
We don't IMPORT the Red Hat source code ... Red Hat Engineering provides the Red Hat source code to the machine where git.centos.org lives. (they throw it over the wall that exists between the Red Hat Engineering team and the CentOS team).
Things that come in with "CentOS Sources" user (or earlier the "CentOS Buildsys" user) are not done by the CentOS team, they come from upstream. There is a specific user who is allowed to connect from a specific IP that has a specific key who can import code directly. I can not do it.
When these things come in, I see them the same way that the Scientific Linux team or anyone else who uses this source sees them, by checking the site. I then use the same tools that anyone else who wants to build the source code would use, the tools here:
https://git.centos.org/summary/centos-git-common.git
If they (upstream) gave us the SRPMs directly and we imported them, then we might have some say how they came in ... they do not and therefore we do not. Everyone who gets community source code from Red Hat gets it from git.centos.org .. INCLUDING the CentOS Team.
<snip>