SCIENTIFIC-LINUX-USERS Archives

September 2014

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV
Options: Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
Re: Questions about SL 7.0
From:
Nico Kadel-Garcia <[log in to unmask]>
Reply To:
Nico Kadel-Garcia <[log in to unmask]>
Date:
Wed, 3 Sep 2014 22:23:19 -0400
Content-Type:
text/plain
Parts/Attachments:
text/plain (25 lines) 
On Wed, Sep 3, 2014 at 8:38 PM, Nico Kadel-Garcia <[log in to unmask]> wrote:
> On Wed, Sep 3, 2014 at 1:45 PM, R P Herrold <[log in to unmask]> wrote:
>> On Wed, 3 Sep 2014, Nico Kadel-Garcia wrote:
>>
>>> It's quite galling: the current semi-manual re-assembly of
>>> local branches, based on "git log" entries, is winding up
>>> lauded as sufficient and superior because, frankly, it's the
>>> only thing that's currently supported.
>>
>> Nico
>>
>> I get it -- you are unhappy about unsigned SRPMS.  I am
>> located in the US and so readily subject of the reach the
>> upstream as a target for litigation on perceived EULA / terms
>> of use / etc violations.  I won't be exposing such a tool
>> publicly, but then ...

And oh, yes, the SRPM's are signed. That's not my concern. It's the
lack of provenance or verifiability for the "canonical" content at
git.centos.org. CentOS, and Scientific Linux, and almost every RPM
publisher, sign their RPM's and SRPM;s with relevant GPG tags. It's
the uncertainty of copying a git repo, possibly even a poisoned one,
and not being able to tell if the code is valid in your copies or
copies of copies.

ATOM RSS1 RSS2