On 18/12/14 14:10, Nico Kadel-Garcia wrote:
> The new git structure at git.centos.org, rather than
> directly using RHEL signed SRPM's, does create a provenance problem.
> They seem to hve been good about it, and some of their core members
> are now Red Hat employees, and this is now the official software
> channel, and that's all re-assuring. But there's a notable difference
> between "here is the source tree which someone labeled as using the
> word 'import' in the git commit messages', and "this is the signed
> SRPM that was built with mock or koji when I compiled the actual
> software, and which is signed with the same key at the same time".

That's a fair point.  But with newer git versions (1.7.9, I believe), it is 
also possible to have signed commits using GPG.  So hopefully they'll start 
making use of such features at least.  Then it is easier to ensure the commits 
have not been modified by a MITM.

A fairly well written blog about these features can be found here:
<http://mikegerwitz.com/papers/git-horror-story>


--
kind regards,

David Sommerseth