Hi Peter,

"working on delivering" is nice, but it's a GPL legal requirement that this be done, so getting it completed should be priority.

"Meanwhile all the sources used to build CentOS Stream content has always been available through https://git.centos.org/ "

Did you follow my link?  I found at least one source that is missing - so it looks like whoever is doing the build is not in fact using that repo to do it from.

It blows my mind how insecure this all is - security news is packed with daily exploits being discovered, yet everyone still seems happy to run sketchy code downloaded from insecure web sites for which none of the source that was used really exists when you go looking for it, and where the entire build and installation process is programmed to ignore missing and invalid digital signatures...


On Tue, Feb 9, 2021 at 8:08 PM Peter Meier <peter.meier@immerda.ch> wrote:
> # yumdownloader --source sendmail
> Last metadata expiration check: 2:09:27 ago on Mon 08 Feb 2021 09:45:31
> PM GMT.
> No package sendmail-8.15.2-34.el8.src available.
> Exiting due to strict setting.
> Error: No package sendmail-8.15.2-34.el8.src available.
>
> Might I suggest you ask someone in the build team to fix or write
> whatever script is needed to make "yumdownloader" work?  Obviously,
> since they're building stuff, *they* know where the source code
> **really** is - so it would only take 5 or 10 minutes to glue your
> existing tools (like yumdownloader) into whatever new location someone
> seems to have dreamed up for the actual source.  

It has been pointed out multiple times (also during the Dojo), that the
team is working on delivering the sources as SRPMs for CentOS Stream in
the repositories as they are for CentOS Linux. So stay tuned.

Meanwhile all the sources used to build CentOS Stream content has always
been available through https://git.centos.org/ and there are the
following tools to consume dist-git content easily:

https://git.centos.org/centos-git-common

Meanwhile: Keep in mind - and this was always communicated this way -
the shift of direction is by the end of 2021 and the announcement was
done early to give everybody a clear heads up and also gather feedback
on what is important. BUT this also means that not everything is in
place yet as you know it from CentOS Linux. Nevertheless, the team now
works on CentOS Linux 7 & 8 + making stream ready to replace 8 + making
sure Stream 9 is able to start.

And yes it would be nice if in 2021 all connections are done through TLS.

~pete