[CentOS-devel] Importing CentOS-6 Sources into git.centos.org

Thu Aug 28 11:55:43 UTC 2014
Johnny Hughes <johnny at centos.org>

On 08/28/2014 06:09 AM, Johnny Hughes wrote:
> On 08/27/2014 09:32 PM, Nico Kadel-Garcia wrote:
>> On Wed, Aug 27, 2014 at 7:28 AM, Johnny Hughes <johnny at centos.org> wrote:
>>>> Not when the metadata is poisoned by a trojaned merge. Git logs can be
>>>> edited. Without the GPG sums, it's like a web mirror that has a pack
>>>> of RPM's with a pack of checksums alongside them. The owner of the
>>>> mirror, or a cracker attacking the host,  can corrupt *both*, and
>>>> without the GPG tag, it's hard to get provenance.
>>>> And *that* is one of the points where having a GPG signed tag,
>>>> especially one tied to the contents of the SRPM builds, becomes a a
>>>> useful tool for verifying provenance of the tree. You can't rely on a
>>>> binary comparison, there's likely to be frequent skew between the
>>>> rsync mirrors and the main repo as a matter of course.
>>> Red Hat does not want to provide us a gpg signed tag, so therefore we
>>> will not be getting one.  No reason to keep bringing it up.  Its not
>>> happening ant time soon.
>> I'm confused by this. What does Red Hat, at least the core business,
>> have to do with this? You have a GPG key you use for making RPM's and
>> SRPM's, why shouldn't or couldn't you use the same key to create git
>> tags? This would be for tags for *your* work, and possibly for when
>> you import Red Hat source.
> We don't IMPORT the Red Hat source code ... Red Hat Engineering provides
> the Red Hat source code to the machine where git.centos.org lives. (they
> throw it over the wall that exists between the Red Hat Engineering team
> and the CentOS team).
> Things that come in with "CentOS Sources" user (or earlier the "CentOS
> Buildsys" user) are not done by the CentOS team, they come from
> upstream.  There is a specific user who is allowed to connect from a
> specific IP that has a specific key who can import code directly.  I can
> not do it.
> When these things come in, I see them the same way that the Scientific
> Linux team or anyone else who uses this source sees them, by checking
> the site.  I then use the same tools that anyone else who wants to build
> the source code would use, the tools here:
> https://git.centos.org/summary/centos-git-common.git
> If they (upstream) gave us the SRPMs directly and we imported them, then
> we might have some say how they came in ... they do not and therefore we
> do not.  Everyone who gets community source code from Red Hat gets it
> from git.centos.org .. INCLUDING the CentOS Team.
> <snip>

To make sure this is understood, here is an example:


That cloud-init import was done by user "Karanbir Singh" .. it has his
name/user.  If I did an import of an SRPM, it would be by my user.

If the user is CentOS Sources (or the earlier CentOS Buildsys) then it
is coming from upstream.
Look at this one:


All upstream commits.
And this one:

There are upstream commits AND then we Roll in changes.

The git log shows what is upstream and what is changes by the team.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: OpenPGP digital signature
URL: <http://lists.centos.org/pipermail/centos-devel/attachments/20140828/ea9ce4ad/attachment-0007.sig>