[CentOS-devel] Importing CentOS-6 Sources into git.centos.org

Thu Aug 28 11:55:43 UTC 2014
Johnny Hughes <johnny at centos.org>

On 08/28/2014 06:09 AM, Johnny Hughes wrote:
> On 08/27/2014 09:32 PM, Nico Kadel-Garcia wrote:
>> On Wed, Aug 27, 2014 at 7:28 AM, Johnny Hughes <johnny at centos.org> wrote:
>>
>>>> Not when the metadata is poisoned by a trojaned merge. Git logs can be
>>>> edited. Without the GPG sums, it's like a web mirror that has a pack
>>>> of RPM's with a pack of checksums alongside them. The owner of the
>>>> mirror, or a cracker attacking the host,  can corrupt *both*, and
>>>> without the GPG tag, it's hard to get provenance.
>>>>
>>>> And *that* is one of the points where having a GPG signed tag,
>>>> especially one tied to the contents of the SRPM builds, becomes a a
>>>> useful tool for verifying provenance of the tree. You can't rely on a
>>>> binary comparison, there's likely to be frequent skew between the
>>>> rsync mirrors and the main repo as a matter of course.
>>>
>>> Red Hat does not want to provide us a gpg signed tag, so therefore we
>>> will not be getting one.  No reason to keep bringing it up.  Its not
>>> happening ant time soon.
>>
>> I'm confused by this. What does Red Hat, at least the core business,
>> have to do with this? You have a GPG key you use for making RPM's and
>> SRPM's, why shouldn't or couldn't you use the same key to create git
>> tags? This would be for tags for *your* work, and possibly for when
>> you import Red Hat source.
> 
> We don't IMPORT the Red Hat source code ... Red Hat Engineering provides
> the Red Hat source code to the machine where git.centos.org lives. (they
> throw it over the wall that exists between the Red Hat Engineering team
> and the CentOS team).
> 
> Things that come in with "CentOS Sources" user (or earlier the "CentOS
> Buildsys" user) are not done by the CentOS team, they come from
> upstream.  There is a specific user who is allowed to connect from a
> specific IP that has a specific key who can import code directly.  I can
> not do it.
> 
> When these things come in, I see them the same way that the Scientific
> Linux team or anyone else who uses this source sees them, by checking
> the site.  I then use the same tools that anyone else who wants to build
> the source code would use, the tools here:
> 
> https://git.centos.org/summary/centos-git-common.git
> 
> If they (upstream) gave us the SRPMs directly and we imported them, then
> we might have some say how they came in ... they do not and therefore we
> do not.  Everyone who gets community source code from Red Hat gets it
> from git.centos.org .. INCLUDING the CentOS Team.
> 
> <snip>
> 

To make sure this is understood, here is an example:

https://git.centos.org/log/rpms!cloud-init/refs!heads!c7-extras

That cloud-init import was done by user "Karanbir Singh" .. it has his
name/user.  If I did an import of an SRPM, it would be by my user.

If the user is CentOS Sources (or the earlier CentOS Buildsys) then it
is coming from upstream.
=======================================
Look at this one:

https://git.centos.org/log/rpms!libvpx.git/refs!heads!c7

All upstream commits.
======================================
And this one:
https://git.centos.org/log/rpms!httpd/refs!heads!c7

There are upstream commits AND then we Roll in changes.

The git log shows what is upstream and what is changes by the team.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: OpenPGP digital signature
URL: <http://lists.centos.org/pipermail/centos-devel/attachments/20140828/ea9ce4ad/attachment-0007.sig>