LISTSERV - SCIENTIFIC-LINUX-USERS Archives

SCIENTIFIC-LINUX-USERS Archives

September 2014

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV

	LISTSERV Archives
	SCIENTIFIC-LINUX-USERS Home
	SCIENTIFIC-LINUX-USERS September 2014

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	AW: AW: [SCIENTIFIC-LINUX-USERS] Questions about SL 7.0
From:	Andreas Mock <[log in to unmask]>
Reply To:	Andreas Mock <[log in to unmask]>
Date:	Wed, 3 Sep 2014 12:38:48 +0000
Content-Type:	text/plain
Parts/Attachments:	text/plain (1 lines)

Hi Nico,



thank you for your both answers.



I'm really not happy to hear this summary and I really don't understand it.

(But I have an idea why it was done this way by RH)



Is there not much more skepticism out there for the validity/integrity of the sources?



Just because I'm curious: Would it be legal to buy one RH subscription to

get the SRPM to build a clone from that? I'm asking because an organisation

like Femilabs or CERN should have the money to buy one subscription to

have a sane base for a clone. And I've chosen SL because I hoped to have

a distribution with stability in mind. So, up to now every update and upgrade

worked like a charm. Big thumb up for all who did this work.



Best regards

Andreas Mock







> -----Ursprüngliche Nachricht-----

> Von: Nico Kadel-Garcia [mailto:[log in to unmask]]

> Gesendet: Mittwoch, 3. September 2014 13:33

> An: Andreas Mock

> Cc: Patrick J. LoPresti; Pat Riehecky; SCIENTIFIC-LINUX-

> [log in to unmask]

> Betreff: Re: AW: [SCIENTIFIC-LINUX-USERS] Questions about SL 7.0

> 

> On Wed, Sep 3, 2014 at 4:33 AM, Andreas Mock

> <[log in to unmask]> wrote:

> > Hi Pat, hi Patrick,

> >

> > thanks for your answers and comments.

> >

> > How would someone like me get a SRPM for a binary package found or

> > installed on a SL 7.0 system?

> >

> > I really don't understand in the moment how it is verified that

> > sources are from RH and unaltered by someone in between.

> >

> > Best regards

> > Andreas Mock

> 

> Our favorite upstream vendor signs the SRPM's and RPM's with GPG

> signatures, whicih can be verified from their public websites and their

> installation media. So do CentOS and Scientifici Linux.

> 

> Now, if I could just convince our new upstream software friends over at

> git.centos.org to use GPG signatures for git tags, I'd be much happier about

> the provenance of software in that new public repository. I'd be even

> happier if the person from Red Hat who uploads the original source code

> from Red Hat would GPG sign a tag for *just that code* with a Red Hat key,

> and our CentOS maintainers (some of whom are now Red Hat employees!)

> could GPG sign tags for CentOS modified software. But I'd be thrilled to

> pieces if they'd even affix a CentOS tg to the Red HAt uploaded content, just

> for the provenance concerns I've already raised.

> 

> Sadly, my concerns about provenance have been ignored, and now the

> existing Scientific Linux development from git.centos.org is being held up as

> proof that git tags are not desirable and my concerns ill founded. It's quite

> galling: the current semi-manual re-assembly of local branches, based on "git

> log" entries, is winding up lauded as sufficient and superior because, frankly,

> it's the only thing that's currently supported.

> 

> It's really quite galling. I've gotten quite put out with every sys-admin in the

> world thinking they can re-invent the wheel, and coming up with their own

> mismatched wheels, to replace what are well designed software features

> like git 'tags'.

ATOM RSS1 RSS2

LISTSERV.FNAL.GOV