[CentOS-devel] Source code missing, and insecure delivery pages linked

Tue Feb 9 21:08:24 UTC 2021
Leon Fauster <leonfauster at googlemail.com>

Am 09.02.21 um 21:57 schrieb Chris Drake:
> Hi Peter,
> "working on delivering" is nice, but it's a GPL legal requirement that 
> this be done, so getting it completed should be priority.
> "Meanwhile all the sources used to build CentOS Stream content has 
> always been available through https://git.centos.org/ 
> <https://git.centos.org/> "
> Did you follow my link?  I found at least one source that is missing - 
> so it looks like whoever is doing the build is not in fact using that 
> repo to do it from.
> It blows my mind how insecure this all is - security news is packed with 
> daily exploits being discovered, yet everyone still seems happy to run 
> sketchy code downloaded from insecure web sites for which none of the 
> source that was used really exists when you go looking for it, and where 
> the entire build and installation process is programmed to ignore 
> missing and invalid digital signatures...

Chris, please take a step back and take a look at some details in a
elaborated way. For instance as Fabian already answered, git sources
are not in any master branch, they are in sub branches. Additional
bin blobs are in a look-aside space outside of git. This is all
explained in the wiki. About signed packages, could you please explain
your POV called "ignore missing and invalid digital signature".