[CentOS-devel] Back on CentOS-devel to get some git.centos.org improvements

Mon Jul 7 08:56:15 UTC 2014
Karanbir Singh <mail-lists at karan.org>

On 07/07/2014 09:22 AM, Elias Persson wrote:
> A signed tag from CentOS would say "this is the content from
> which we built our SRPM". It wouldn't be "signing the sources"
> any more than the signing of SRPMs would be. Why would that be
> bad?

but an srpm has more than whats in git, and we cant know what we are
going to release, till the code is built, qa'd and passed release
testing etc. so signing a commit will always be an after thought.

also, putting distro keys on developer laptops and circulating them
around town isnt a nice thing, expand that with increasing contributor
base who are able to branch and build their own content into SIG's etc,
and you dramatically expand that problem base.

> 
>> [...]  Until then, a signed tag from CentOS just tells
>> us that someone trusted made a change to something untrusted, and the
>> net result is still untrusted because -- say it with me this time -- the
>> chain of trust was broken by *upstream*.
> 
> And this would be different for signed (S)RPMs how, exactly?

an SRPM is a reproduceable build source, comprehensive and includes
build time metadata. this will match back to delivered buildlogs result
that can be mapped, using the timestamp, to the exact environment it was
built in.

A git tag would mostly just indicate what spec was used, and would come
after the event, with no validation on what content changed under and
around the hood by the time this code was released.

Two very different things.

-- 
Karanbir Singh
+44-207-0999389 | http://www.karan.org/ | twitter.com/kbsingh
GnuPG Key : http://www.karan.org/publickey.asc