On Fri, Jun 13, 2014 at 11:53 AM, Patrick J. LoPresti
<[log in to unmask]> wrote:
> On Thu, Jun 12, 2014 at 9:11 PM, Nico Kadel-Garcia <[log in to unmask]> wrote:
>>
>> git repositories *can* be as easy to use as SRPM's, *if* they are
>> tagged, and *if* there is a way to obtain an index of the relevant
>> tags of a particular point release. So the risk isn't in using git:
>> it's in the lack, so far, of relevant tags to distinguish RHEL source
>> code from whatever CentOS may choose to modify, and the potential for
>> unknown changes between the RHEL internal git repositories and
>> whatever CentOS may choose to integrate and publish.
>
> I would expect TUV (Red Hat) sources to be on one branch and all
> CentOS modifications on a different branch.

Nope. They're entirely distinct repositories with straight imports
applied as step one, no cloning of the upstream RHEL git repos.

> This seems a minimal requirement for sanity. Are you saying this is
> not what they are doing?

Look for yourself at http://git.centos.org/. I spent several long
chats with someone about security practices this week, where they
could not believe other people were not following their assumed
security practices: this is a similar situation. There is nothing in
the GPL or open source licenses that require publishing your revision
history. And exposing that history  can expose internal comments,
internal employee names, and personal development history of
proprietary projects that were later factored out of open source or
GPL code.