https://urldefense.proofpoint.com/v2/url?u=http-3A__springdale.math.ias.edu_wiki_disclaimer&d=DwIDaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=gd8BzeSQcySVxr0gDWSEbN-P-pgDXkdyCtaMqdCgPPdW1cyL5RIpaIYrCn8C5x2A&m=TKmDwHk4LwNB8HNm9GxxajVITvc216grjypu8En4mdU&s=uUu-gODJfybAXFqRmgXY4raUbPDlRs1FwEOl4N70nRg&e= 

"This software is provided with no warranty and no guarantee. We use the 
readily available source code provided by Red Hat to build the 
distribution. Any problems/vulnerabilities that are found in Red Hat are 
going to be present in our versions unless we specifically patched our 
versions.

Whenever possible we follow the release and support schedules from Red 
Hat, when source rpms are available, we will begin building and testing 
them. We believe that the testing done by Red Hat will be much greater 
than our own and in most cases we rely on their testing."


On 12/14/20 10:27 PM, Yasha Karant wrote:
> As I recall, what you state below is similar in sentiment to 
> response/s when I noted the "same" comment concerning Princeton EL in 
> the past.  I take it from your response no one in the larger EL 
> community (including HPC/HTC) shares the Princeton "sentiment" and 
> that there is no "basis in data/fact" for it?  At that time, we 
> decided to deploy SL; CentOS Stream however totally is unsatisfactory 
> for our needs.
>
> On 12/14/20 1:10 PM, Konstantin Olchanski wrote:
>>>
>>>> and ... CentOS RPMs are not 100% safe ...
>>>
>>
>> This is a very unexpected statement. I feel it should not be passed 
>> unquestioned.
>>
>> Is there any meat there or it's just a general statement on the security
>> of the CentOS build process vs the security of the Red Hat build process
>> vs the security of the Princeton build process? (including signatures 
>> of source code,
>> signatures of binary packages, security of the mirror network, etc).
>>