On 08/28/2014 06:09 AM, Johnny Hughes wrote: > On 08/27/2014 09:32 PM, Nico Kadel-Garcia wrote: >> On Wed, Aug 27, 2014 at 7:28 AM, Johnny Hughes <johnny at centos.org> wrote: >> >>>> Not when the metadata is poisoned by a trojaned merge. Git logs can be >>>> edited. Without the GPG sums, it's like a web mirror that has a pack >>>> of RPM's with a pack of checksums alongside them. The owner of the >>>> mirror, or a cracker attacking the host, can corrupt *both*, and >>>> without the GPG tag, it's hard to get provenance. >>>> >>>> And *that* is one of the points where having a GPG signed tag, >>>> especially one tied to the contents of the SRPM builds, becomes a a >>>> useful tool for verifying provenance of the tree. You can't rely on a >>>> binary comparison, there's likely to be frequent skew between the >>>> rsync mirrors and the main repo as a matter of course. >>> >>> Red Hat does not want to provide us a gpg signed tag, so therefore we >>> will not be getting one. No reason to keep bringing it up. Its not >>> happening ant time soon. >> >> I'm confused by this. What does Red Hat, at least the core business, >> have to do with this? You have a GPG key you use for making RPM's and >> SRPM's, why shouldn't or couldn't you use the same key to create git >> tags? This would be for tags for *your* work, and possibly for when >> you import Red Hat source. > > We don't IMPORT the Red Hat source code ... Red Hat Engineering provides > the Red Hat source code to the machine where git.centos.org lives. (they > throw it over the wall that exists between the Red Hat Engineering team > and the CentOS team). > > Things that come in with "CentOS Sources" user (or earlier the "CentOS > Buildsys" user) are not done by the CentOS team, they come from > upstream. There is a specific user who is allowed to connect from a > specific IP that has a specific key who can import code directly. I can > not do it. > > When these things come in, I see them the same way that the Scientific > Linux team or anyone else who uses this source sees them, by checking > the site. I then use the same tools that anyone else who wants to build > the source code would use, the tools here: > > https://git.centos.org/summary/centos-git-common.git > > If they (upstream) gave us the SRPMs directly and we imported them, then > we might have some say how they came in ... they do not and therefore we > do not. Everyone who gets community source code from Red Hat gets it > from git.centos.org .. INCLUDING the CentOS Team. > > <snip> > To make sure this is understood, here is an example: https://git.centos.org/log/rpms!cloud-init/refs!heads!c7-extras That cloud-init import was done by user "Karanbir Singh" .. it has his name/user. If I did an import of an SRPM, it would be by my user. If the user is CentOS Sources (or the earlier CentOS Buildsys) then it is coming from upstream. ======================================= Look at this one: https://git.centos.org/log/rpms!libvpx.git/refs!heads!c7 All upstream commits. ====================================== And this one: https://git.centos.org/log/rpms!httpd/refs!heads!c7 There are upstream commits AND then we Roll in changes. The git log shows what is upstream and what is changes by the team. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: OpenPGP digital signature URL: <http://lists.centos.org/pipermail/centos-devel/attachments/20140828/ea9ce4ad/attachment-0007.sig>