[CentOS-devel] moving from gitorious

Nico Kadel-Garcia

nkadel at gmail.com
Thu Mar 5 14:31:06 UTC 2015


On Thu, Mar 5, 2015 at 7:26 AM, Johnny Hughes <johnny at centos.org> wrote:
> On 03/05/2015 05:58 AM, Nux! wrote:
>> Keep git.centos.org as authority, use github instead of gitorious; everybody is there already anyway.
>>
>> Lucian
>>
>
> +1 from me

I appreciate github and use it a great deal. (Look over there for my
daemontools, rt4 for RHEL 6, samb 4 for CentOS 6, and other toolkits.)
And repoforge also used it effectively. I'm delighted to see it
suggested, and suspect it will be much, much faster to pull from
github.com than it generally is from git.centos.org.

However, we're right back to the problem I mentioned when I first saw
git.centos.org: "provenance". If all CentOS and upstream RHEL source
is published on a central website, one can try to verify the chain of
ownership and verify the source by verifying it directly against that
central repository with its owned SSL certificate and the chain of
trust there. As soon as people are cloning from there to another site,
and cloning off of those instead of against the central repository,
you have a potentially risky step on any third party hosted
repository. And you have an expensive verification step to *keep
checking it against the central repo*.

So, how can we make sure that what is at github.com actually matches
what came from git.centos.org? Especially since the information about
what actually went into a SRPM is a log message, tied to a revision
that can be excluded and replaced or corrupted in a third party hosted
clone?

Oh, right! It's already there. GPG signed git tags are a core git
facility, CentOS buld systems already handle GPG tags to sign the
SRPM's they build, and it already does what the "git log"
interpretation tools tried to do and which they cannot provide for the
growing number of git mirrors and third-party hosted repositoryes. I
hope this provides a solid reason to activate real tags. It should be
possible to do on top of the existing structure without altering the
existing logs at all.

             Nico Kadel-Garcia

>> ----- Original Message -----
>>> From: "Karanbir Singh" <kbsingh at centos.org>
>>> To: "The CentOS developers mailing list." <centos-devel at centos.org>
>>> Sent: Thursday, 5 March, 2015 11:30:38
>>> Subject: [CentOS-devel] moving from gitorious
>>
>>> Hi,
>>>
>>> We have some of our content currently hosted on gitorious.org that we
>>> mirror from git.centos.org - the intention being that git.centos.org is
>>> still the authority, but people can use the easier contribution path at
>>> gitorious to build karma and then get direct git commit access at
>>> git.centos.org
>>>
>>> since gitorious is going away, what are everyone's thoughts to
>>> consolidating all of this external contribution path on
>>> github.com/CentOS - we already host a bunch of content there.
>>>
>>> Regards
>>>
>>> --
>>> Karanbir Singh, Project Lead, The CentOS Project
>
>
>
> _______________________________________________
> CentOS-devel mailing list
> CentOS-devel at centos.org
> http://lists.centos.org/mailman/listinfo/centos-devel
>



More information about the CentOS-devel mailing list