On Wed, Sep 3, 2014 at 8:38 PM, Nico Kadel-Garcia <[log in to unmask]> wrote:
> On Wed, Sep 3, 2014 at 1:45 PM, R P Herrold <[log in to unmask]> wrote:
>> On Wed, 3 Sep 2014, Nico Kadel-Garcia wrote:
>>
>>> It's quite galling: the current semi-manual re-assembly of
>>> local branches, based on "git log" entries, is winding up
>>> lauded as sufficient and superior because, frankly, it's the
>>> only thing that's currently supported.
>>
>> Nico
>>
>> I get it -- you are unhappy about unsigned SRPMS. I am
>> located in the US and so readily subject of the reach the
>> upstream as a target for litigation on perceived EULA / terms
>> of use / etc violations. I won't be exposing such a tool
>> publicly, but then ...
And oh, yes, the SRPM's are signed. That's not my concern. It's the
lack of provenance or verifiability for the "canonical" content at
git.centos.org. CentOS, and Scientific Linux, and almost every RPM
publisher, sign their RPM's and SRPM;s with relevant GPG tags. It's
the uncertainty of copying a git repo, possibly even a poisoned one,
and not being able to tell if the code is valid in your copies or
copies of copies.
|