On 01/29/2014 06:10 AM, Johnny Hughes wrote: > If CentOS exists as a rebuild of the EL codebase and if the rebuilt code > works and is tested by the community ... AND if the same source code can > be used as the basis for the addon variant or repos seamlessly (as is > our goal), then why does someone else need to rebuild the rebuilt code > again under another name? The reason does not have to be to build public distro, or maybe public but for other purposes. One of the issues every user of CentOS is facing is security. Reality is that CentOS rebuilds packages to be 100% binary compatible. That means rebuilding against specific versions of packages for dependencies. Essentially, you packages will have same security bug RHEL has, if that bug was created with manipulating environment. I read recently an article which explains how compiling first with modified compiler then with "proper"/vanila one can introduce changes in the way same code of the package will be binary different. So first thing that comes to my mind is: If several persons inside Red Hat decide which environment will be created to build a package, is it possible those persons to be working with NSA to implant hardly detectable security holes? Even Read Hat CEO does not have to be aware of that. And if process is non-transparent and needs tweaking, then one can assume foul play is possible. As a normal CentOS user, I do not really care much if my system has such sophisticated hole, but any foreign govt (not-USA) would have serious concerns to use something USA could have tampered with. For example, Russian govt uses (as far as I remember) REL (Rosa Enterprise Linux). They are part of Russian govt FOSS Project, for use by all govt branches, just like RHEL is used by USA govt. What about other govts that distrust both USA and Russians? And with recent claims that NSA is also running industrial espionage in favor of USA companies, Big international companies could be reluctant to use either RHEL or CentOS, or any other 100% binary clone. Argument about USA govt using same packages does not have to be true. Since Red Hat has closed update/package network with accounts, how hard would it be to hook USA govt systems to slightly different channel with few key packages without bugs that exist for all other users of Red Hat? maybe just a active symlink creation pointing to secret packages. That is why people might want to totally control building process without spending large amounts of time. Even if only to compare packages built against different environment. -- Ljubomir Ljubojevic (Love is in the Air) PL Computers Serbia, Europe StarOS, Mikrotik and CentOS/RHEL/Linux consultant