[CentOS-devel] Importing CentOS-6 Sources into git.centos.org

Thu Aug 28 11:09:26 UTC 2014
Johnny Hughes <johnny at centos.org>

On 08/27/2014 09:32 PM, Nico Kadel-Garcia wrote:
> On Wed, Aug 27, 2014 at 7:28 AM, Johnny Hughes <johnny at centos.org> wrote:
> 
>>> Not when the metadata is poisoned by a trojaned merge. Git logs can be
>>> edited. Without the GPG sums, it's like a web mirror that has a pack
>>> of RPM's with a pack of checksums alongside them. The owner of the
>>> mirror, or a cracker attacking the host,  can corrupt *both*, and
>>> without the GPG tag, it's hard to get provenance.
>>>
>>> And *that* is one of the points where having a GPG signed tag,
>>> especially one tied to the contents of the SRPM builds, becomes a a
>>> useful tool for verifying provenance of the tree. You can't rely on a
>>> binary comparison, there's likely to be frequent skew between the
>>> rsync mirrors and the main repo as a matter of course.
>>
>> Red Hat does not want to provide us a gpg signed tag, so therefore we
>> will not be getting one.  No reason to keep bringing it up.  Its not
>> happening ant time soon.
> 
> I'm confused by this. What does Red Hat, at least the core business,
> have to do with this? You have a GPG key you use for making RPM's and
> SRPM's, why shouldn't or couldn't you use the same key to create git
> tags? This would be for tags for *your* work, and possibly for when
> you import Red Hat source.

We don't IMPORT the Red Hat source code ... Red Hat Engineering provides
the Red Hat source code to the machine where git.centos.org lives. (they
throw it over the wall that exists between the Red Hat Engineering team
and the CentOS team).

Things that come in with "CentOS Sources" user (or earlier the "CentOS
Buildsys" user) are not done by the CentOS team, they come from
upstream.  There is a specific user who is allowed to connect from a
specific IP that has a specific key who can import code directly.  I can
not do it.

When these things come in, I see them the same way that the Scientific
Linux team or anyone else who uses this source sees them, by checking
the site.  I then use the same tools that anyone else who wants to build
the source code would use, the tools here:

https://git.centos.org/summary/centos-git-common.git

If they (upstream) gave us the SRPMs directly and we imported them, then
we might have some say how they came in ... they do not and therefore we
do not.  Everyone who gets community source code from Red Hat gets it
from git.centos.org .. INCLUDING the CentOS Team.

<snip>


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: OpenPGP digital signature
URL: <http://lists.centos.org/pipermail/centos-devel/attachments/20140828/0dcc2ca5/attachment-0007.sig>