On Mon, Jul 7, 2014 at 6:40 AM, Jim Perrin jperrin@centos.org wrote:
On 07/06/2014 09:06 PM, Nico Kadel-Garcia wrote:
On Sun, Jul 6, 2014 at 9:04 PM, Chris St. Pierre chris.a.st.pierre@gmail.com wrote:
There's been a lot of discussion on this, which is surprising given that this is the wrong place for it. Maybe next we can discuss how to improve AutoYAST or IIS.
Some people seem to have forgotten that CentOS, despite the recent change in employment status of several of its core members, is the *downstream* rebuilder. They get their sources via git.centos.org from a prominent North American Linux reseller, just like the rest of us.
Read that again: CentOS is not special. They are *consumers* of the sources, not the producers.
They are special. Various members of the CentOS team are now Red Hat employees (http://seven.centos.org/2014/06/congratulations-to-red-hat-for-rhel7/)
Do keep up with curent events.
Yes. They pay the salary for some of us. We're STILL not special, and we STILL don't have the ability to reach in and influence the business units. We've said that time and again as well. http://www.zdnet.com/centos-7-is-on-its-way-7000030443/
Do try to keep up when you're telling others to keep up.
I read the article, and others at the time. When someone pays your salary and funds your build hardware, that's pretty "special" compared to other open source and freeware teams managing various software forks. It's not unheard of, and I've no moral or ethical issue with it. (I'm thinking of Zmanda and AMANDA, and the various Subversion related companies, with which I've also dealt in the past.) But I'm afraid the funding relationship does, indeed, make it "special" compared to other developers or rebuilders.
It seems a healthy and reasonable relationship. Red Hat has been an excellent participant in free software and open source for many years, and support of CentOS is a good sign of that ongoing support. That doesn't worry me, at least. And gods forbid, if some business unit did try to improperly influence you, CentOS and Red Hat have shown good historical resistance to administrative abuse and I'd expect you to handle it safely.
Now, the point of saying that was to say this: Lets at least pretend to be civil on this list. You've come storming into the list, with a condescending attitude, talking down to several. Do you honestly feel that being an asshole on the list helps your cause? If the merits of your argument are sound, it'll speak for itself. Being an asshole actually HURTS your cause and weakens your argument.
Sorry if it seems that way. I'm trying to raise real issues of software provenance and repository security and workflow. I'll admit that I was startled to have to try to explain the usefulness of GPG signed git tags, and I do seem to have stepped on some toes with related issues.
I'm not worried about https://git.centos.org security itself. (At least, no more than any well supported open source website!). The CentOS developers and maintainers have earned some confidence in their work. It's the intermediate offsite staging, whether in a local working repository or possibly a trojaned intermediate repository, that I'm concerned about. That's outside of the direct control, but a certain level of verification of local repositories, especially with well labeled tags, could help improve confidence for anyone working from your git repo in local repositories, rather than working from raw SRPM's.
Please be civil on the list.
Trying to. I do wind up openly contradicting someone when I think they're mistaken, as I just tried to contradict you about the lack of any "special" relationship of CentOS to Red Hat. But I did try to do so civilly with you, and to be careful to provide evidence and reasoning to support the conclusion.
That's about the best I can do.