Subject: | |
From: | |
Reply To: | |
Date: | Wed, 11 Jun 2014 09:49:53 +0000 |
Content-Type: | text/plain |
Parts/Attachments: |
|
|
On 11 Jun 2014, at 09:41, Steven Haigh <[log in to unmask]> wrote:
> On 11/06/14 17:24, Matthias Schroeder wrote:
>> On 06/11/2014 04:12 AM, Steven Haigh wrote:
>>> On 11/06/14 12:07, Paul Robert Marino wrote:
>>>> Yes a lot of us noticed.
>>>> Recompiling an entire distro from scratch is not an easy proposition.
>>>> Furthermore they need to strip out all of the Red Hat branding. Expect
>>>> it to take a while at least a month or two if not more.
>>>
>>> I think it'll take longer than normal this time around... The build
>>> process is changing completely from previous versions.
>>
>> True, adapting the process to the new "supply chain" and source format
>> will take a while.
>>
>>> It seems the code
>>> is getting published on git.centos.org - but it seems nobody really
>>> knows who is putting it there.
>>>
>>> This leaves the moral quandary of 'do we all trust an anonymous source
>>> with no official ties to Red Hat?'
>>
>> http://ftp.redhat.com/redhat/linux/enterprise/7Server/en/os/README says
>>
>> "Current sources for Red Hat Enterprise Linux 7 have been moved to the
>> following location:
>>
>> https://git.centos.org/project/rpms"
>>
>> Does this reduce your moral quandary a little?
>
> Not at all. There is no source for this data at all. Just spec files and
> patches that have 'appeared'.
>
> The SRPMs provided by RedHat in the past are all signed by RedHat and
> are VERY difficult if not impossible to tamper with.
>
> There is no method to authenticate that the files being dumped into
> git.centos.org by an unknown source (hint: It isn't the CentOS guys
> putting them there) are unmodified or even supplied by RedHat.
>
> This is the problem.
Ok, I see your point now. Seems I misinterpreted the ‘moral quandary’.
Matthias
>
> --
> Steven Haigh
>
> Email: [log in to unmask]
> Web: http://www.crc.id.au
> Phone: (03) 9001 6090 - 0412 935 897
> Fax: (03) 8338 0299
>
|
|
|