[CentOS-devel] Back on CentOS-devel to get some git.centos.org improvements

Mon Jul 7 13:51:24 UTC 2014
Johnny Hughes <johnny at centos.org>

On 07/07/2014 07:18 AM, Chris St. Pierre wrote:
> On Mon, Jul 7, 2014 at 6:22 AM, Nico Kadel-Garcia <nkadel at gmail.com
> <mailto:nkadel at gmail.com>> wrote:
>     And you folks at git.centos.org <http://git.centos.org> and the
>     CentOS core developer group, I
>     have some confidence in. Certainly Red Hat does,  they hired a bunch
>     of you. The result is that I assume you have good access from which
>     you are building your imported git.centos.org
>     <http://git.centos.org> sources, either direct
>     git exports from Red Hat's internal git repos or a full feed Red Hat
>     subscription to work the SRPM's from. I'm actually quite curious which
>     you use, I don't see anything at git.centos.org
>     <http://git.centos.org> to indicate. Either
>     way, though, I have some confidence in *your* access to upstream
>     resources.
> This is where I've been trying to tell you you're wrong.  They've made
> it clear that they use git.centos.org <http://git.centos.org>, just
> like the rest of us.  The name on their paycheck doesn't make them
> special in this regard.  The domain in their email address doesn't
> make them special in this regard.  They are subject to the same
> limitations that we are, which is why asking *them* to certify that
> sources they *only consume* is pure folly.

This is correct in one sense, we do indeed consume git.centos.org, like
everyone else.  We do NOT have access to the machine(s) where the
commits are made from (where the SRPMs become a git tree), that is done
by upstream.  There is a purposeful isolation between the resources of
the CentOS team and the RHEL team.

We do know that things that show up on git.centos.org came from a
specific ip address, used a specific key/user combination from that
ipaddress to deliver the content on git.centos.org .. so we know where
it originated from.  (If they are imported by the upstream user), so we
have confidence that content is authentic (as in; it came from upstream).

So, the authenticity of the code is not in question .. it is provided by
upstream or by the person listed in the git log. (for content that is
not from upstream, ie the scripts in centos-git.common).

> Four CentOS core members work for upstream.  That does *not* make
> CentOS upstream.

This is absolutely true ... we (the 4 people hired by Red Hat that
produce CentOS) do not work from anywhere we did not work before we were
hired by Red Hat (we all work from home on CentOS, then and now).  Nor
do we have any access to any resources or information that the RHEL team
at Red Hat does not make public.  We also do not have access to any code
going into CentOS before it shows up on git.centos.org.

The process on our end has not changed, other than where we get the code

All of this stolen CA's to make an SSL certificate that looks valid to a
user who uses git.centos.org, then targeting that user's DNS to make
them download bad code from git.centos.org so that they can then inject
code, while theoretically possible, is silly.

Besides, Red Hat provides source code to their Customers via RHN in SRPM
form.  They provide the expanded Code to the community via git.centos.org.

If you want to validate  the code is the same, then subscribe to RHEL
and do your own comparison.

RHEL is RHEL and CentOS is CentOS .. use CentOS if you want CentOS ..
Use RHEL if you want RHEL ... and if you are another rebuilder, and if
you don't want to use git.centos.org, then talk to and sign an agreement
with Red Hat to do something else.  All the rest of this is just silly.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: OpenPGP digital signature
URL: <http://lists.centos.org/pipermail/centos-devel/attachments/20140707/57e643ec/attachment-0007.sig>