https://urldefense.proofpoint.com/v2/url?u=http-3A__springdale.math.ias.edu_wiki_disclaimer&d=DwIDaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=gd8BzeSQcySVxr0gDWSEbN-P-pgDXkdyCtaMqdCgPPdW1cyL5RIpaIYrCn8C5x2A&m=TKmDwHk4LwNB8HNm9GxxajVITvc216grjypu8En4mdU&s=uUu-gODJfybAXFqRmgXY4raUbPDlRs1FwEOl4N70nRg&e=
"This software is provided with no warranty and no guarantee. We use the
readily available source code provided by Red Hat to build the
distribution. Any problems/vulnerabilities that are found in Red Hat are
going to be present in our versions unless we specifically patched our
versions.
Whenever possible we follow the release and support schedules from Red
Hat, when source rpms are available, we will begin building and testing
them. We believe that the testing done by Red Hat will be much greater
than our own and in most cases we rely on their testing."
On 12/14/20 10:27 PM, Yasha Karant wrote:
As I recall, what you state below is similar in sentiment to
response/s when I noted the "same" comment concerning Princeton EL in
the past. I take it from your response no one in the larger EL
community (including HPC/HTC) shares the Princeton "sentiment" and
that there is no "basis in data/fact" for it? At that time, we
decided to deploy SL; CentOS Stream however totally is unsatisfactory
for our needs.
On 12/14/20 1:10 PM, Konstantin Olchanski wrote:
and ... CentOS RPMs are not 100% safe ...
This is a very unexpected statement. I feel it should not be passed
unquestioned.
Is there any meat there or it's just a general statement on the security
of the CentOS build process vs the security of the Red Hat build process
vs the security of the Princeton build process? (including signatures
of source code,
signatures of binary packages, security of the mirror network, etc).