[CentOS-devel] Back on CentOS-devel to get some git.centos.org improvements

Sat Jul 5 12:23:29 UTC 2014
Karanbir Singh <mail-lists at karan.org>

On 07/05/2014 05:08 AM, Nico Kadel-Garcia wrote:
> On Fri, Jul 4, 2014 at 11:15 AM, Karanbir Singh <mail-lists at karan.org> wrote:
>> On 07/04/2014 02:46 PM, Nico Kadel-Garcia wrote:
>>>                Please consider the use of signed GPG tags for actual
>>> SRPM updates, rather than merely relying on '[package].metadata, to
>>> help assure provenance for people who may test or rebuild security
>>> components.
>> the content you get is pushed over https, the implementation on
>> git.centos.org seems fairly secure. the content into the machine is via
>> ssh, over a guranteed ( in as much as network can be guranteed ) link.
>> we are also preventing anyone else from being able to commit with the
>> source importer username/email and or using the word 'import' as the
>> first chat in the commit.
> Thanks. But Karanbir, "commit" is not the problem I'm referring to.
> It's the ability to substitute a trojaned, fake repository in between
> you and the client, to commit a "man-in-the-m8iddle" attack Valid SSL

what about git.centos.org's ssl cert looks invalid ? Also, if you are
doubting SSL as a transport, we've all got bigger problems.

- KB
Karanbir Singh
+44-207-0999389 | http://www.karan.org/ | twitter.com/kbsingh
GnuPG Key : http://www.karan.org/publickey.asc