[CentOS] Is the Centos code safe?

Thu Jul 30 22:08:56 UTC 2009
jkinz at kinz.org <jkinz at kinz.org>

On Thu, Jul 30, 2009 at 05:27:27PM -0400, Phil Pinto wrote:
> Just a couple of questions - are the code distribution methods locked 
> down to prevent malicious tampering from someone who may be interested 
> in selling access to millions of computer systems?   Centos is very 
> pervasive in hosting companies around the world.   Has Lances access 
> been restricted, to prevent injection of malicious code?

ISO images are usually MD5 sum'd (or similar) and signed on
most distros, and source code patches are typically visible
to multiple people as part of the submission process.  Source
patches have to go upstream to be ultimately integrated into the
CentOS distro.

So the possibility of "vandalism" in these circumstances - eg. a
known individual with access and high visibility, are very
unlikely to be attempted and even more unlikely to succeed. 

I fear that making this kind of speculation, ascribing
  >potential< acts of vandalism to unamed but clearly
identified specific persons, have only one major effect, to make a    
sore subject and the relationships of those involved even worse.      

We have only one issue that needs resolution and it is being
handled by the people closest to the issue.  The safety and
continuance of CentOS is already assured and not in question. 

Hopefully we can refrain from this kind of Hype-driven scenario
generating. 

     After all - We aren't journalists. :-) 

The CentOS source is safely stored in multiple places including 
an upstream North American Enterprise level vendor. 

Truly we don't need to be concerned about its purity.  The
existing developers and multiple other code holders have taken
care of that.


Jeff Kinz.

-- 
This text was created using speech recognition software.
Some errors may be present in the transcription.

A: Yes.
>Q: Are you sure?
>>A: Because it reverses the logical flow of conversation.
>>>Q: Why is top posting frowned upon?