LISTSERV - SCIENTIFIC-LINUX-USERS Archives

SCIENTIFIC-LINUX-USERS Archives

June 2014

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV

	LISTSERV Archives
	SCIENTIFIC-LINUX-USERS Home
	SCIENTIFIC-LINUX-USERS June 2014

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: RHEL 7 just hit the market place, I'm looking forward to when we can start testing SL 7
From:	Matt Lewandowsky <[log in to unmask]>
Reply To:	Matt Lewandowsky <[log in to unmask]>
Date:	Wed, 11 Jun 2014 01:42:17 -0700
Content-Type:	multipart/signed
Parts/Attachments:	text/plain (2159 bytes) , smime.p7s (6 kB)

Tom H, Sent: Wednesday, 11 June, 2014 01:33:
> AFAIC this pure FUD.
>
> In what way is the CentOS git less secure than other upstream git repos?
>
> Do you have an example of files being "dumped" into the CentOS git by
> non-CentOS uploaders? I've look at a few packages and I see
> [log in to unmask] (he's one of the main CentOS guys) and
> [log in to unmask]

The problem, as I see it, is that the "[log in to unmask]" commits come from a 
magic place that no one is sure of where it is. The commits are not GPG 
signed, nor are they at all verifiable as originating with Red Hat.

We're getting a bit off-topic for this list, but I see the following as a 
solution to clarifying the current situation as I understand the reality to 
be:

1) Have the commits come from a Red Hat email address (since they're 
supposedly being pushed to the repo from Red Hat) as the committer.

2) Have the commits be GPG signed, with a way to verifiably trust the 
signature.

3) Ensure git.centos.org is able to show signing information.

This will result in a verifiable chain of the sources originating at Red Hat, 
and being reasonably sure of lack of tampering. However, it does add some risk 
to Red Hat as there is a degree of them certifying correctness. The "don't 
trust" view is that *someone* needs to be able to put their name behind it as 
opposed to a faceless committer claiming to be the bug tracker.

Personally, I don't care if [log in to unmask] commits are signed if he doesn't 
want them to be and I suspect almost every party interested in this 
conversation would agree. It's his personal name on the line. The problem is 
the generic bug tracker address committing huge swaths of code of unknown 
provenance.

Again, this is just my view of the situation. I'm not trying to say whether 
"trust" or "don't trust" is the correct answer. But I see both sides and I 
want to help everyone also see both sides so they can be informed in their 
replies instead of this rapidly degenerating into a mess of useless 
speculation which can't be reconciled due to lack of facts.

Matt

-- 
Matt Lewandowsky
Big Geek
Greenviolet
[log in to unmask] http://www.greenviolet.net
+1 415 578 5782 (US) +44 844 484 8254 (UK)

ATOM RSS1 RSS2

LISTSERV.FNAL.GOV