Am 09.02.21 um 21:57 schrieb Chris Drake: > Hi Peter, > > "working on delivering" is nice, but it's a GPL legal requirement that > this be done, so getting it completed should be priority. > > "Meanwhile all the sources used to build CentOS Stream content has > always been available through https://git.centos.org/ > <https://git.centos.org/> " > > Did you follow my link? I found at least one source that is missing - > so it looks like whoever is doing the build is not in fact using that > repo to do it from. > > It blows my mind how insecure this all is - security news is packed with > daily exploits being discovered, yet everyone still seems happy to run > sketchy code downloaded from insecure web sites for which none of the > source that was used really exists when you go looking for it, and where > the entire build and installation process is programmed to ignore > missing and invalid digital signatures... > Chris, please take a step back and take a look at some details in a elaborated way. For instance as Fabian already answered, git sources are not in any master branch, they are in sub branches. Additional bin blobs are in a look-aside space outside of git. This is all explained in the wiki. About signed packages, could you please explain your POV called "ignore missing and invalid digital signature". -- Thanks Leon