[CentOS-devel] Back on CentOS-devel to get some git.centos.org improvements
Karanbir Singh
mail-lists at karan.orgFri Jul 4 15:15:04 UTC 2014
- Previous message: [CentOS-devel] Back on CentOS-devel to get some git.centos.org improvements
- Next message: [CentOS-devel] Back on CentOS-devel to get some git.centos.org improvements
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On 07/04/2014 02:46 PM, Nico Kadel-Garcia wrote: > Please consider the use of signed GPG tags for actual > SRPM updates, rather than merely relying on '[package].metadata, to > help assure provenance for people who may test or rebuild security > components. the content you get is pushed over https, the implementation on git.centos.org seems fairly secure. the content into the machine is via ssh, over a guranteed ( in as much as network can be guranteed ) link. we are also preventing anyone else from being able to commit with the source importer username/email and or using the word 'import' as the first chat in the commit. some of this is convention, but as the source that we consume, we are fairly sure of what is going through. If there are any specific concerns about code, do point them out - and if its security related, then email security at centos.org instead of a public list. regards -- Karanbir Singh +44-207-0999389 | http://www.karan.org/ | twitter.com/kbsingh GnuPG Key : http://www.karan.org/publickey.asc
- Previous message: [CentOS-devel] Back on CentOS-devel to get some git.centos.org improvements
- Next message: [CentOS-devel] Back on CentOS-devel to get some git.centos.org improvements
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the CentOS-devel mailing list