On 08/27/2014 09:32 PM, Nico Kadel-Garcia wrote: > On Wed, Aug 27, 2014 at 7:28 AM, Johnny Hughes <johnny at centos.org> wrote: > >>> Not when the metadata is poisoned by a trojaned merge. Git logs can be >>> edited. Without the GPG sums, it's like a web mirror that has a pack >>> of RPM's with a pack of checksums alongside them. The owner of the >>> mirror, or a cracker attacking the host, can corrupt *both*, and >>> without the GPG tag, it's hard to get provenance. >>> >>> And *that* is one of the points where having a GPG signed tag, >>> especially one tied to the contents of the SRPM builds, becomes a a >>> useful tool for verifying provenance of the tree. You can't rely on a >>> binary comparison, there's likely to be frequent skew between the >>> rsync mirrors and the main repo as a matter of course. >> >> Red Hat does not want to provide us a gpg signed tag, so therefore we >> will not be getting one. No reason to keep bringing it up. Its not >> happening ant time soon. > > I'm confused by this. What does Red Hat, at least the core business, > have to do with this? You have a GPG key you use for making RPM's and > SRPM's, why shouldn't or couldn't you use the same key to create git > tags? This would be for tags for *your* work, and possibly for when > you import Red Hat source. We don't IMPORT the Red Hat source code ... Red Hat Engineering provides the Red Hat source code to the machine where git.centos.org lives. (they throw it over the wall that exists between the Red Hat Engineering team and the CentOS team). Things that come in with "CentOS Sources" user (or earlier the "CentOS Buildsys" user) are not done by the CentOS team, they come from upstream. There is a specific user who is allowed to connect from a specific IP that has a specific key who can import code directly. I can not do it. When these things come in, I see them the same way that the Scientific Linux team or anyone else who uses this source sees them, by checking the site. I then use the same tools that anyone else who wants to build the source code would use, the tools here: https://git.centos.org/summary/centos-git-common.git If they (upstream) gave us the SRPMs directly and we imported them, then we might have some say how they came in ... they do not and therefore we do not. Everyone who gets community source code from Red Hat gets it from git.centos.org .. INCLUDING the CentOS Team. <snip> -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: OpenPGP digital signature URL: <http://lists.centos.org/pipermail/centos-devel/attachments/20140828/0dcc2ca5/attachment-0007.sig>