On Wed, Jun 11, 2014 at 3:41 AM, Steven Haigh <[log in to unmask]> wrote:
> On 11/06/14 17:24, Matthias Schroeder wrote:
>> On 06/11/2014 04:12 AM, Steven Haigh wrote:
>>> On 11/06/14 12:07, Paul Robert Marino wrote:
>>>>
>>>> Yes a lot of us noticed.
>>>> Recompiling an entire distro from scratch is not an easy proposition.
>>>> Furthermore they need to strip out all of the Red Hat branding. Expect
>>>> it to take a while at least a month or two if not more.
>>>
>>> I think it'll take longer than normal this time around... The build
>>> process is changing completely from previous versions.
>>
>> True, adapting the process to the new "supply chain" and source format
>> will take a while.
>>
>>> It seems the code
>>> is getting published on git.centos.org - but it seems nobody really
>>> knows who is putting it there.
>>>
>>> This leaves the moral quandary of 'do we all trust an anonymous source
>>> with no official ties to Red Hat?'
>>
>> http://ftp.redhat.com/redhat/linux/enterprise/7Server/en/os/README says
>>
>> "Current sources for Red Hat Enterprise Linux 7 have been moved to the
>> following location:
>>
>> https://git.centos.org/project/rpms"
>>
>> Does this reduce your moral quandary a little?
>
> Not at all. There is no source for this data at all. Just spec files and
> patches that have 'appeared'.
>
> The SRPMs provided by RedHat in the past are all signed by RedHat and
> are VERY difficult if not impossible to tamper with.
>
> There is no method to authenticate that the files being dumped into
> git.centos.org by an unknown source (hint: It isn't the CentOS guys
> putting them there) are unmodified or even supplied by RedHat.
>
> This is the problem.

AFAIC this pure FUD.

In what way is the CentOS git less secure than other upstream git repos?

Do you have an example of files being "dumped" into the CentOS git by
non-CentOS uploaders? I've look at a few packages and I see
[log in to unmask] (he's one of the main CentOS guys) and
[log in to unmask]