[CentOS-devel] moving from gitorious

Thu Mar 5 14:58:46 UTC 2015
Johnny Hughes <johnny at centos.org>

On 03/05/2015 08:31 AM, Nico Kadel-Garcia wrote:
> On Thu, Mar 5, 2015 at 7:26 AM, Johnny Hughes <johnny at centos.org> wrote:
>> On 03/05/2015 05:58 AM, Nux! wrote:
>>> Keep git.centos.org as authority, use github instead of gitorious; everybody is there already anyway.
>>>
>>> Lucian
>>>
>>
>> +1 from me
> 
> I appreciate github and use it a great deal. (Look over there for my
> daemontools, rt4 for RHEL 6, samb 4 for CentOS 6, and other toolkits.)
> And repoforge also used it effectively. I'm delighted to see it
> suggested, and suspect it will be much, much faster to pull from
> github.com than it generally is from git.centos.org.
> 
> However, we're right back to the problem I mentioned when I first saw
> git.centos.org: "provenance". If all CentOS and upstream RHEL source
> is published on a central website, one can try to verify the chain of
> ownership and verify the source by verifying it directly against that
> central repository with its owned SSL certificate and the chain of
> trust there. As soon as people are cloning from there to another site,
> and cloning off of those instead of against the central repository,
> you have a potentially risky step on any third party hosted
> repository. And you have an expensive verification step to *keep
> checking it against the central repo*.
> 
> So, how can we make sure that what is at github.com actually matches
> what came from git.centos.org? Especially since the information about
> what actually went into a SRPM is a log message, tied to a revision
> that can be excluded and replaced or corrupted in a third party hosted
> clone?
> 
> Oh, right! It's already there. GPG signed git tags are a core git
> facility, CentOS buld systems already handle GPG tags to sign the
> SRPM's they build, and it already does what the "git log"
> interpretation tools tried to do and which they cannot provide for the
> growing number of git mirrors and third-party hosted repositoryes. I
> hope this provides a solid reason to activate real tags. It should be
> possible to do on top of the existing structure without altering the
> existing logs at all.

You can't .. you just need to trust us, or use something else

> 
>              Nico Kadel-Garcia
> 
>>> ----- Original Message -----
>>>> From: "Karanbir Singh" <kbsingh at centos.org>
>>>> To: "The CentOS developers mailing list." <centos-devel at centos.org>
>>>> Sent: Thursday, 5 March, 2015 11:30:38
>>>> Subject: [CentOS-devel] moving from gitorious
>>>
>>>> Hi,
>>>>
>>>> We have some of our content currently hosted on gitorious.org that we
>>>> mirror from git.centos.org - the intention being that git.centos.org is
>>>> still the authority, but people can use the easier contribution path at
>>>> gitorious to build karma and then get direct git commit access at
>>>> git.centos.org
>>>>
>>>> since gitorious is going away, what are everyone's thoughts to
>>>> consolidating all of this external contribution path on
>>>> github.com/CentOS - we already host a bunch of content there.
>>>>
>>>> Regards
>>>>
>>>> --
>>>> Karanbir Singh, Project Lead, The CentOS Project
>>
>>
>>
>> _______________________________________________
>> CentOS-devel mailing list
>> CentOS-devel at centos.org
>> http://lists.centos.org/mailman/listinfo/centos-devel
>>


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: OpenPGP digital signature
URL: <http://lists.centos.org/pipermail/centos-devel/attachments/20150305/13d6df4a/attachment-0008.sig>