Subject: | |
From: | |
Reply To: | |
Date: | Wed, 11 Jun 2014 01:42:17 -0700 |
Content-Type: | multipart/signed |
Parts/Attachments: |
|
|
Tom H, Sent: Wednesday, 11 June, 2014 01:33:
> AFAIC this pure FUD.
>
> In what way is the CentOS git less secure than other upstream git repos?
>
> Do you have an example of files being "dumped" into the CentOS git by
> non-CentOS uploaders? I've look at a few packages and I see
> [log in to unmask] (he's one of the main CentOS guys) and
> [log in to unmask]
The problem, as I see it, is that the "[log in to unmask]" commits come from a
magic place that no one is sure of where it is. The commits are not GPG
signed, nor are they at all verifiable as originating with Red Hat.
We're getting a bit off-topic for this list, but I see the following as a
solution to clarifying the current situation as I understand the reality to
be:
1) Have the commits come from a Red Hat email address (since they're
supposedly being pushed to the repo from Red Hat) as the committer.
2) Have the commits be GPG signed, with a way to verifiably trust the
signature.
3) Ensure git.centos.org is able to show signing information.
This will result in a verifiable chain of the sources originating at Red Hat,
and being reasonably sure of lack of tampering. However, it does add some risk
to Red Hat as there is a degree of them certifying correctness. The "don't
trust" view is that *someone* needs to be able to put their name behind it as
opposed to a faceless committer claiming to be the bug tracker.
Personally, I don't care if [log in to unmask] commits are signed if he doesn't
want them to be and I suspect almost every party interested in this
conversation would agree. It's his personal name on the line. The problem is
the generic bug tracker address committing huge swaths of code of unknown
provenance.
Again, this is just my view of the situation. I'm not trying to say whether
"trust" or "don't trust" is the correct answer. But I see both sides and I
want to help everyone also see both sides so they can be informed in their
replies instead of this rapidly degenerating into a mess of useless
speculation which can't be reconciled due to lack of facts.
Matt
--
Matt Lewandowsky
Big Geek
Greenviolet
[log in to unmask] http://www.greenviolet.net
+1 415 578 5782 (US) +44 844 484 8254 (UK)
|
|
|