LISTSERV - SCIENTIFIC-LINUX-USERS Archives

SCIENTIFIC-LINUX-USERS Archives

June 2014

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV

	LISTSERV Archives
	SCIENTIFIC-LINUX-USERS Home
	SCIENTIFIC-LINUX-USERS June 2014

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: RHEL 7 just hit the market place, I'm looking forward to when we can start testing SL 7
From:	Dag Wieers <[log in to unmask]>
Reply To:	Dag Wieers <[log in to unmask]>
Date:	Thu, 19 Jun 2014 16:37:02 +0200
Content-Type:	text/plain
Parts/Attachments:	text/plain (25 lines)

On Wed, 18 Jun 2014, Lamar Owen wrote:

> So, somewhat paradoxically, I would have a greater confidence in source from 
> git than source from a signed source RPM, again due to git's design.  Yeah, I 
> know, it's not what we're used to, and there is a bit of information that a 
> package.src.rpm has that the git repo won't have, but it's possible to 
> produce binary compatibility without that bit of info.  It may seem to be 
> more work, but time will tell.

It depends of course who signs it. If the SRPM is signed by Red Hat, and 
the git commits are signed by CentOS, you cannot really say that it is the 
same thing. One may claim that it is the same thing, but only Red Hat can 
prove it for every commit/SRPM.

And that is a problem.

Your chain of trust becomes one piece longer, and we don't know what that 
piece exactly entails.

-- 
-- dag wieers, [log in to unmask], http://dag.wieers.com/
-- dagit linux solutions, [log in to unmask], http://dagit.net/

[Any errors in spelling, tact or fact are transmission errors]

ATOM RSS1 RSS2

LISTSERV.FNAL.GOV