[CentOS-devel] scheduling some downtime for reimzul and git.c.o

Sun Aug 10 05:42:25 UTC 2014
Nico Kadel-Garcia <nkadel at gmail.com>

On Sat, Aug 9, 2014 at 6:10 PM, Karanbir Singh <mail-lists at karan.org> wrote:

> the idea that since git is distributed someone else will have a copy -
> atleast the last person to send the last commit will have a good copy is
> best ignored.
> just going by history, when large git infra has gone offline - so has
> most code that was contained inside it.

Not at all. People pull from each other's repositories, especially
from their branches, all the time in collaborative work. As things
stand, the only way to verify the content is to pull from and compare
to the upstream, secured repository, and it's going to be offline for
a while.

The window of vulnerability for this particular instance is,
thankfully, short  But "most code has gone offline" is irrelevant to
my concern. It's the potential for confusion, or abuse, and the lack
of provenance for offsite clones that concerns me. While
git.centos.org is offline, the much-relied-on security of that site
itself is quite useless to any developers working rom their own or on
each other's repositories.