On 07/05/2014 05:08 AM, Nico Kadel-Garcia wrote:
On Fri, Jul 4, 2014 at 11:15 AM, Karanbir Singh mail-lists@karan.org wrote:
On 07/04/2014 02:46 PM, Nico Kadel-Garcia wrote:
Please consider the use of signed GPG tags for actualSRPM updates, rather than merely relying on '[package].metadata, to help assure provenance for people who may test or rebuild security components.
the content you get is pushed over https, the implementation on git.centos.org seems fairly secure. the content into the machine is via ssh, over a guranteed ( in as much as network can be guranteed ) link.
we are also preventing anyone else from being able to commit with the source importer username/email and or using the word 'import' as the first chat in the commit.
Thanks. But Karanbir, "commit" is not the problem I'm referring to. It's the ability to substitute a trojaned, fake repository in between you and the client, to commit a "man-in-the-m8iddle" attack Valid SSL
what about git.centos.org's ssl cert looks invalid ? Also, if you are doubting SSL as a transport, we've all got bigger problems.
- KB