[CentOS-devel] Back on CentOS-devel to get some git.centos.org improvements

Mon Jul 7 12:06:57 UTC 2014
Nico Kadel-Garcia <nkadel at gmail.com>

On Mon, Jul 7, 2014 at 6:40 AM, Jim Perrin <jperrin at centos.org> wrote:
> On 07/06/2014 09:06 PM, Nico Kadel-Garcia wrote:
>> On Sun, Jul 6, 2014 at 9:04 PM, Chris St. Pierre
>> <chris.a.st.pierre at gmail.com> wrote:
>>> There's been a lot of discussion on this, which is surprising given that
>>> this is the wrong place for it.  Maybe next we can discuss how to improve
>>> AutoYAST or IIS.
>>> Some people seem to have forgotten that CentOS, despite the recent change in
>>> employment status of several of its core members, is the *downstream*
>>> rebuilder.  They get their sources via git.centos.org from a prominent North
>>> American Linux reseller, just like the rest of us.
>>> Read that again: CentOS is not special.  They are *consumers* of the
>>> sources, not the producers.
>> They are special.  Various members of the CentOS team are now Red Hat
>> employees (http://seven.centos.org/2014/06/congratulations-to-red-hat-for-rhel7/)
>> Do keep up with curent events.
> Yes. They pay the salary for some of us. We're STILL not special, and we
> STILL don't have the ability to reach in and influence the business
> units. We've said that time and again as well.
> http://www.zdnet.com/centos-7-is-on-its-way-7000030443/
> Do try to keep up when you're telling others to keep up.

I read the article, and others at the time. When someone pays your
salary and funds your build hardware, that's pretty "special" compared
to other open source and freeware teams managing various software
forks. It's not unheard of, and I've no moral or ethical issue with
it. (I'm thinking of Zmanda and AMANDA, and the various Subversion
related companies, with which I've also dealt in the past.) But I'm
afraid the funding relationship does, indeed, make it "special"
compared to other developers or rebuilders.

It seems a healthy and reasonable relationship. Red Hat has been an
excellent participant in free software and open source for many years,
and support of CentOS is a good sign of that ongoing support. That
doesn't worry me, at least. And gods forbid, if some business unit did
try to improperly influence you, CentOS and Red Hat have shown good
historical resistance to administrative abuse and I'd expect you to
handle it safely.

> Now, the point of saying that was to say this: Lets at least pretend to
> be civil on this list. You've come storming into the list, with a
> condescending attitude, talking down to several. Do you honestly feel
> that being an asshole on the list helps your cause? If the merits of
> your argument are sound, it'll speak for itself. Being an asshole
> actually HURTS your cause and weakens your argument.

Sorry if it seems that way. I'm trying to raise real issues of
software provenance and repository security and workflow. I'll admit
that I was startled to have to try to explain the usefulness of GPG
signed git tags, and I do seem to have stepped on some toes with
related issues.

I'm not worried about https://git.centos.org security itself. (At
least, no more than any well supported open source website!). The
CentOS developers and maintainers have earned some confidence in their
work. It's the intermediate offsite staging, whether in a local
working repository or possibly a trojaned intermediate repository,
that I'm concerned about. That's outside of the direct control, but a
certain level of verification of local repositories, especially with
well labeled tags, could help improve confidence for anyone working
from your git repo in local repositories, rather than working from raw

> Please be civil on the list.

Trying to. I do wind up openly contradicting someone when I think
they're mistaken, as I just tried to contradict you about the lack of
any "special" relationship of CentOS to Red Hat. But I did try to do
so civilly with you, and to be careful to provide evidence and
reasoning to support the conclusion.

That's about the best I can do.