[CentOS-devel] Importing CentOS-6 Sources into git.centos.org

Thu Aug 21 01:29:05 UTC 2014
Nico Kadel-Garcia <nkadel at gmail.com>

On Wed, Aug 20, 2014 at 5:24 PM, Karanbir Singh <mail-lists at karan.org> wrote:
> On 08/19/2014 04:54 PM, Pat Riehecky wrote:
>>> We will also be upgrading to a new version of gitblit for git.centos.org
>>> before we actually roll in the CentOS-6 sources, though I will begin the
>>> list generation before we actually start the gitblit upgrade process.
>> Will there be an rsync target available for the git repos and look-aside
>> sources?
>> https://bugs.centos.org/view.php?id=7185
> I'd like to be able to offer rsync from there as well, but there are a
> few challenges that need resolved first. For the binary content cache,
> we can likely run the rsync instance from the backup machine so there is
> no network load on the production box. For the git repos its a bit
> harder since there are private or working-in-progress repos in there as
> well, and we need to find a way to mask those out.
> Certainly worth trying to get to.

Use GPG signed git tags to assure provenance, and the repository can
be safely cloned. Rsyncing a git repo is like rsyncing a CVS or
Subversion reository. Even small changes in the midst of the rsync
operation can corrupt the underlying database.

I did *suggest* using GPG signed git tags instead of the "parse the
git log to figure out the revision matching the built RPM", and one of
the reasons was to assure provenance for cloned repositories. All the
necessities to assure provenance apply to rsynced mirrors as well.
Unless *every single mirror* is as robustly deployed as
git.centos.org, they are at risk of local manipulation installing a
trojan or otherwise violating their security.