On Wed, 18 Jun 2014, Lamar Owen wrote:
> So, somewhat paradoxically, I would have a greater confidence in source from
> git than source from a signed source RPM, again due to git's design. Yeah, I
> know, it's not what we're used to, and there is a bit of information that a
> package.src.rpm has that the git repo won't have, but it's possible to
> produce binary compatibility without that bit of info. It may seem to be
> more work, but time will tell.
It depends of course who signs it. If the SRPM is signed by Red Hat, and
the git commits are signed by CentOS, you cannot really say that it is the
same thing. One may claim that it is the same thing, but only Red Hat can
prove it for every commit/SRPM.
And that is a problem.
Your chain of trust becomes one piece longer, and we don't know what that
piece exactly entails.
--
-- dag wieers, [log in to unmask], http://dag.wieers.com/
-- dagit linux solutions, [log in to unmask], http://dagit.net/
[Any errors in spelling, tact or fact are transmission errors]
|