On 07/05/2014 05:08 AM, Nico Kadel-Garcia wrote: > On Fri, Jul 4, 2014 at 11:15 AM, Karanbir Singh <mail-lists at karan.org> wrote: >> On 07/04/2014 02:46 PM, Nico Kadel-Garcia wrote: >>> Please consider the use of signed GPG tags for actual >>> SRPM updates, rather than merely relying on '[package].metadata, to >>> help assure provenance for people who may test or rebuild security >>> components. >> >> the content you get is pushed over https, the implementation on >> git.centos.org seems fairly secure. the content into the machine is via >> ssh, over a guranteed ( in as much as network can be guranteed ) link. >> >> we are also preventing anyone else from being able to commit with the >> source importer username/email and or using the word 'import' as the >> first chat in the commit. > > Thanks. But Karanbir, "commit" is not the problem I'm referring to. > It's the ability to substitute a trojaned, fake repository in between > you and the client, to commit a "man-in-the-m8iddle" attack Valid SSL what about git.centos.org's ssl cert looks invalid ? Also, if you are doubting SSL as a transport, we've all got bigger problems. - KB -- Karanbir Singh +44-207-0999389 | http://www.karan.org/ | twitter.com/kbsingh GnuPG Key : http://www.karan.org/publickey.asc