On Wed, Sep 3, 2014 at 4:33 AM, Andreas Mock <[log in to unmask]> wrote:
> Hi Pat, hi Patrick,
>
> thanks for your answers and comments.
>
> How would someone like me get a SRPM for a binary package found or installed on
> a SL 7.0 system?
>
> I really don't understand in the moment how it is verified that sources are from
> RH and unaltered by someone in between.
>
> Best regards
> Andreas Mock

Our favorite upstream vendor signs the SRPM's and RPM's with GPG
signatures, whicih can be verified from their public websites and
their installation media. So do CentOS and Scientifici Linux.

Now, if I could just convince our new upstream software friends over
at git.centos.org to use GPG signatures for git tags, I'd be much
happier about the provenance of software in that new public
repository. I'd be even happier if the person from Red Hat who uploads
the original source code from Red Hat would GPG sign a tag for *just
that code* with a Red Hat key, and our CentOS maintainers (some of
whom are now Red Hat employees!) could GPG sign tags for CentOS
modified software. But I'd be thrilled to pieces if they'd even affix
a CentOS tg to the Red HAt uploaded content, just for the provenance
concerns I've already raised.

Sadly, my concerns about provenance have been ignored, and now the
existing Scientific Linux development from git.centos.org is being
held up as proof that git tags are not desirable and my concerns ill
founded. It's quite galling: the current semi-manual re-assembly of
local branches, based on "git log" entries, is winding up lauded as
sufficient and superior because, frankly, it's the only thing that's
currently supported.

It's really quite galling. I've gotten quite put out with every
sys-admin in the world thinking they can re-invent the wheel, and
coming up with their own mismatched wheels, to replace what are well
designed software features like git 'tags'.