On 03/05/2015 08:31 AM, Nico Kadel-Garcia wrote: > On Thu, Mar 5, 2015 at 7:26 AM, Johnny Hughes <johnny at centos.org> wrote: >> On 03/05/2015 05:58 AM, Nux! wrote: >>> Keep git.centos.org as authority, use github instead of gitorious; everybody is there already anyway. >>> >>> Lucian >>> >> >> +1 from me > > I appreciate github and use it a great deal. (Look over there for my > daemontools, rt4 for RHEL 6, samb 4 for CentOS 6, and other toolkits.) > And repoforge also used it effectively. I'm delighted to see it > suggested, and suspect it will be much, much faster to pull from > github.com than it generally is from git.centos.org. > > However, we're right back to the problem I mentioned when I first saw > git.centos.org: "provenance". If all CentOS and upstream RHEL source > is published on a central website, one can try to verify the chain of > ownership and verify the source by verifying it directly against that > central repository with its owned SSL certificate and the chain of > trust there. As soon as people are cloning from there to another site, > and cloning off of those instead of against the central repository, > you have a potentially risky step on any third party hosted > repository. And you have an expensive verification step to *keep > checking it against the central repo*. > > So, how can we make sure that what is at github.com actually matches > what came from git.centos.org? Especially since the information about > what actually went into a SRPM is a log message, tied to a revision > that can be excluded and replaced or corrupted in a third party hosted > clone? > > Oh, right! It's already there. GPG signed git tags are a core git > facility, CentOS buld systems already handle GPG tags to sign the > SRPM's they build, and it already does what the "git log" > interpretation tools tried to do and which they cannot provide for the > growing number of git mirrors and third-party hosted repositoryes. I > hope this provides a solid reason to activate real tags. It should be > possible to do on top of the existing structure without altering the > existing logs at all. You can't .. you just need to trust us, or use something else > > Nico Kadel-Garcia > >>> ----- Original Message ----- >>>> From: "Karanbir Singh" <kbsingh at centos.org> >>>> To: "The CentOS developers mailing list." <centos-devel at centos.org> >>>> Sent: Thursday, 5 March, 2015 11:30:38 >>>> Subject: [CentOS-devel] moving from gitorious >>> >>>> Hi, >>>> >>>> We have some of our content currently hosted on gitorious.org that we >>>> mirror from git.centos.org - the intention being that git.centos.org is >>>> still the authority, but people can use the easier contribution path at >>>> gitorious to build karma and then get direct git commit access at >>>> git.centos.org >>>> >>>> since gitorious is going away, what are everyone's thoughts to >>>> consolidating all of this external contribution path on >>>> github.com/CentOS - we already host a bunch of content there. >>>> >>>> Regards >>>> >>>> -- >>>> Karanbir Singh, Project Lead, The CentOS Project >> >> >> >> _______________________________________________ >> CentOS-devel mailing list >> CentOS-devel at centos.org >> http://lists.centos.org/mailman/listinfo/centos-devel >> -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: OpenPGP digital signature URL: <http://lists.centos.org/pipermail/centos-devel/attachments/20150305/13d6df4a/attachment-0008.sig>