On 03/05/2015 08:31 AM, Nico Kadel-Garcia wrote:
On Thu, Mar 5, 2015 at 7:26 AM, Johnny Hughes johnny@centos.org wrote:
On 03/05/2015 05:58 AM, Nux! wrote:
Keep git.centos.org as authority, use github instead of gitorious; everybody is there already anyway.
Lucian
+1 from me
I appreciate github and use it a great deal. (Look over there for my daemontools, rt4 for RHEL 6, samb 4 for CentOS 6, and other toolkits.) And repoforge also used it effectively. I'm delighted to see it suggested, and suspect it will be much, much faster to pull from github.com than it generally is from git.centos.org.
However, we're right back to the problem I mentioned when I first saw git.centos.org: "provenance". If all CentOS and upstream RHEL source is published on a central website, one can try to verify the chain of ownership and verify the source by verifying it directly against that central repository with its owned SSL certificate and the chain of trust there. As soon as people are cloning from there to another site, and cloning off of those instead of against the central repository, you have a potentially risky step on any third party hosted repository. And you have an expensive verification step to *keep checking it against the central repo*.
So, how can we make sure that what is at github.com actually matches what came from git.centos.org? Especially since the information about what actually went into a SRPM is a log message, tied to a revision that can be excluded and replaced or corrupted in a third party hosted clone?
Oh, right! It's already there. GPG signed git tags are a core git facility, CentOS buld systems already handle GPG tags to sign the SRPM's they build, and it already does what the "git log" interpretation tools tried to do and which they cannot provide for the growing number of git mirrors and third-party hosted repositoryes. I hope this provides a solid reason to activate real tags. It should be possible to do on top of the existing structure without altering the existing logs at all.
You can't .. you just need to trust us, or use something else
Nico Kadel-Garcia
----- Original Message -----
From: "Karanbir Singh" kbsingh@centos.org To: "The CentOS developers mailing list." centos-devel@centos.org Sent: Thursday, 5 March, 2015 11:30:38 Subject: [CentOS-devel] moving from gitorious
Hi,
We have some of our content currently hosted on gitorious.org that we mirror from git.centos.org - the intention being that git.centos.org is still the authority, but people can use the easier contribution path at gitorious to build karma and then get direct git commit access at git.centos.org
since gitorious is going away, what are everyone's thoughts to consolidating all of this external contribution path on github.com/CentOS - we already host a bunch of content there.
Regards
-- Karanbir Singh, Project Lead, The CentOS Project
CentOS-devel mailing list CentOS-devel@centos.org http://lists.centos.org/mailman/listinfo/centos-devel