On 11 Jun 2014, at 09:41, Steven Haigh <[log in to unmask]> wrote:

> On 11/06/14 17:24, Matthias Schroeder wrote:
>> On 06/11/2014 04:12 AM, Steven Haigh wrote:
>>> On 11/06/14 12:07, Paul Robert Marino wrote:
>>>> Yes a lot of us noticed.
>>>> Recompiling an entire distro from scratch is not an easy proposition.
>>>> Furthermore they need to strip out all of the Red Hat branding. Expect
>>>> it to take a while at least a month or two if not more.
>>> 
>>> I think it'll take longer than normal this time around... The build
>>> process is changing completely from previous versions.
>> 
>> True, adapting the process to the new "supply chain" and source format
>> will take a while.
>> 
>>> It seems the code
>>> is getting published on git.centos.org - but it seems nobody really
>>> knows who is putting it there.
>>> 
>>> This leaves the moral quandary of 'do we all trust an anonymous source
>>> with no official ties to Red Hat?'
>> 
>> http://ftp.redhat.com/redhat/linux/enterprise/7Server/en/os/README says
>> 
>> "Current sources for Red Hat Enterprise Linux 7 have been moved to the
>> following location:
>> 
>> https://git.centos.org/project/rpms"
>> 
>> Does this reduce your moral quandary a little?
> 
> Not at all. There is no source for this data at all. Just spec files and
> patches that have 'appeared'.
> 
> The SRPMs provided by RedHat in the past are all signed by RedHat and
> are VERY difficult if not impossible to tamper with.
> 
> There is no method to authenticate that the files being dumped into
> git.centos.org by an unknown source (hint: It isn't the CentOS guys
> putting them there) are unmodified or even supplied by RedHat.
> 
> This is the problem.

Ok, I see your point now. Seems I misinterpreted the ‘moral quandary’.

Matthias

> 
> -- 
> Steven Haigh
> 
> Email: [log in to unmask]
> Web: http://www.crc.id.au
> Phone: (03) 9001 6090 - 0412 935 897
> Fax: (03) 8338 0299
>