On Fri, Dec 19, 2014 at 10:15 PM, David Sommerseth
<[log in to unmask]> wrote:
> On 18/12/14 14:10, Nico Kadel-Garcia wrote:
>>
>> The new git structure at git.centos.org, rather than
>> directly using RHEL signed SRPM's, does create a provenance problem.
>> They seem to hve been good about it, and some of their core members
>> are now Red Hat employees, and this is now the official software
>> channel, and that's all re-assuring. But there's a notable difference
>> between "here is the source tree which someone labeled as using the
>> word 'import' in the git commit messages', and "this is the signed
>> SRPM that was built with mock or koji when I compiled the actual
>> software, and which is signed with the same key at the same time".
>
>
> That's a fair point.  But with newer git versions (1.7.9, I believe), it is
> also possible to have signed commits using GPG.  So hopefully they'll start
> making use of such features at least.  Then it is easier to ensure the
> commits have not been modified by a MITM.
>
> A fairly well written blog about these features can be found here:
> <http://mikegerwitz.com/papers/git-horror-story>

I'm afraid that the version of git with SL 6 and RHEL 6 is version
1.7.2. The newer features seem to be available in 1.8, which is
available from the ius 3rd party repository.

The blog is interesting. I've tended to rely on code review of a
central git repository for critical code, which helps catch bugs as
well as security issues. (My typing is not perfect, and I have had
typos bite me!)