On 21/06/14 11:09, Nico Kadel-Garcia wrote:
> Hi, Dag!!
>
> Haven't seen you since that London Linux conference, I'm back in the USA now.
>
> On Fri, Jun 20, 2014 at 5:14 PM, Dag Wieers <[log in to unmask]> wrote:
>
>> Self-criticism (and yes, I feel part of Red Hat's community) is essential.
>> And a decision that makes Red Hat weaker, weakens my case as well.
>
> It's also contributing to skepticism from companies and users looking
> at RHEL 7 or the clone rebuilds. If we're all stuck rebuilding from
> CentOS, not from RHEL signed packages that are verifiably consistent
> with what our favorite upstream vendor actually packages and tests,
> that's a logical source of security and support concern.
>
> What makes it worse is that HTTPS is not sufficiently secure to verify
> the authenticity of original source code, and the git repo itself
> could be hijacked by any subtle attacker using any of the unrevoked,
> stolen SSL wildcard keys in the wild. That could be a fascinating
> security hole for 3rd party vendors who rely on RHEL or CentOS SRPM's
> for their source code for or open source based projects. These include
> Centrify, that rebundles OpenSSH with various features, and apparently
> Cisco for their ASA firewall products.
>
>> With al due respect, but your response to one point of criticism is probably
>> why someone at Red Hat (unless maybe high up in the organization) may not
>> speak up. It clearly is a management/legal decision and yes, I do believe if
>> you are on the payroll, that is exactly what you are not supposed to
>> question. Red Hat becoming less Open Source may harm the company's public
>> image.
>
> Dag, I beg to differ with you here. My experience with Red Hat
> technical personnel on an individual basis is that they will
> *question* policies, but that they are quite aware that their voice is
> not authoritative and are cautious about saying "this is the way it
> is, because I work for Red Hat and that's the policy". They're leave
> it to the legal and management personnel, who may also be aware of
> things they're not privy to (such as software licensing agreeements
> with Sun, back in the day.)
>
>> And since the CentOS board is on Red Hat's payroll as well, I think they are
>> in the same boat, unfortunately.
>
> Yeah, I've been urging my clients to switch to Scientific Linux where
> possible for a stack of reasons. If we, or our friends on the SL build
> team, can work around this, it'll be another reason to switch. The
> decision to switch to pure git based distribution is, currently, rife
> with security and implementation issues. That it was done effectively
> unannounced, without testing it with the RHEL 7 beta components is a
> sign of a problem.
To be fair to RedHat, they did announce it months ago... What didn't
happen was a dump of stuff to be looked at for comment before this all
happened.
The main problems I see are this:
1) The lack of validation of the initial import. This has been beaten to
death, I don't need to comment further on this.
2) The only source is the CentOS source. I don't want to use the CentOS
project, and I don't want to use altered sources. There is no real
separation here between RedHat and CentOS. Essentially, TUV is now
CentOS (for what value that is). This is a problem.
3) I'm not against having EL7 as a git based setup - HOWEVER, there
needs to be separation between CentOS and RH work. ie CentOS should have
forked from a RH repository. CentOS can then do whatever they like to
their git, but the RH stuff is preserved and ONLY updated to keep in
sync with their source tree. CentOS could then pull those changes, and
again do whatever they want to.
--
Steven Haigh
Email: [log in to unmask]
Web: http://www.crc.id.au
Phone: (03) 9001 6090 - 0412 935 897
Fax: (03) 8338 0299
|
