On 11/06/14 17:24, Matthias Schroeder wrote:
> On 06/11/2014 04:12 AM, Steven Haigh wrote:
>> On 11/06/14 12:07, Paul Robert Marino wrote:
>>> Yes a lot of us noticed.
>>> Recompiling an entire distro from scratch is not an easy proposition.
>>> Furthermore they need to strip out all of the Red Hat branding. Expect
>>> it to take a while at least a month or two if not more.
>>
>> I think it'll take longer than normal this time around... The build
>> process is changing completely from previous versions.
> 
> True, adapting the process to the new "supply chain" and source format
> will take a while.
> 
>> It seems the code
>> is getting published on git.centos.org - but it seems nobody really
>> knows who is putting it there.
>>
>> This leaves the moral quandary of 'do we all trust an anonymous source
>> with no official ties to Red Hat?'
> 
> http://ftp.redhat.com/redhat/linux/enterprise/7Server/en/os/README says
> 
> "Current sources for Red Hat Enterprise Linux 7 have been moved to the
> following location:
> 
> https://git.centos.org/project/rpms"
> 
> Does this reduce your moral quandary a little?

Not at all. There is no source for this data at all. Just spec files and
patches that have 'appeared'.

The SRPMs provided by RedHat in the past are all signed by RedHat and
are VERY difficult if not impossible to tamper with.

There is no method to authenticate that the files being dumped into
git.centos.org by an unknown source (hint: It isn't the CentOS guys
putting them there) are unmodified or even supplied by RedHat.

This is the problem.

-- 
Steven Haigh

Email: [log in to unmask]
Web: http://www.crc.id.au
Phone: (03) 9001 6090 - 0412 935 897
Fax: (03) 8338 0299