On Sun, Jun 22, 2014 at 4:42 PM, Mark Rousell <[log in to unmask]> wrote:
> I've been following the discussions on this list about the changes in RHEL's source availability and I'd like to confirm my understanding of the current situation.
>
> Someone on another mail list made this comment:
>
>         RedHat have said that they'll not be releasing source RPMs any more, so
>         the response by the Scientific Linux people has more or less been
>         "Either use CentOS or our very own re-packaged CentOS thingie".
>
> This is incorrect (in terms of both statements that it makes), isn't it.
>
>
> Here is my current understanding. Please feel free to correct or confirm:-
>
> 1) RH now makes SRPMs available only to customers (but SRPMs are nevertheless still available on those terms).
>
> 2) The RHEL source is publicly also available on git.centos.org.
>
> 3) But it is not *absolutely* crystal clear what on git.centos.org is pure unadulterated RHEL source and what is CentOS source.
>
> 4) The SL project is writing tools to automatically extract RHEL source from git.centos.org.
>
> 5) SL7 will therefore be based on RHEL7 and definitely not on CentOS.
>
> 6) Anything I've forgotten?
>
>
> Thanks to anyone who can help with this.

Step 4 is not reliable, and may cause profound problems, without step
3. Without verifiable GPG signed tags, in fact, a malicious proxy
could use any of the stolen SSL root certificates, sign a forged
'git.centos.org' SSL signature, and interprose their trojan software
burdened git repository.

Moving away from the public SRPM's is burdensome to rebuilders other
than CentOS, at least without those steps.