Am 09.02.21 um 21:57 schrieb Chris Drake:
Hi Peter,
"working on delivering" is nice, but it's a GPL legal requirement that this be done, so getting it completed should be priority.
"Meanwhile all the sources used to build CentOS Stream content has always been available through https://git.centos.org/ https://git.centos.org/ "
Did you follow my link? I found at least one source that is missing - so it looks like whoever is doing the build is not in fact using that repo to do it from.
It blows my mind how insecure this all is - security news is packed with daily exploits being discovered, yet everyone still seems happy to run sketchy code downloaded from insecure web sites for which none of the source that was used really exists when you go looking for it, and where the entire build and installation process is programmed to ignore missing and invalid digital signatures...
Chris, please take a step back and take a look at some details in a elaborated way. For instance as Fabian already answered, git sources are not in any master branch, they are in sub branches. Additional bin blobs are in a look-aside space outside of git. This is all explained in the wiki. About signed packages, could you please explain your POV called "ignore missing and invalid digital signature".
-- Thanks Leon