Hi Nico, thank you for your both answers.
I'm really not happy to hear this summary and I really don't understand it. (But I have an idea why it was done this way by RH) Is there not much more skepticism out there for the validity/integrity of the sources? Just because I'm curious: Would it be legal to buy one RH subscription to get the SRPM to build a clone from that? I'm asking because an organisation like Femilabs or CERN should have the money to buy one subscription to have a sane base for a clone. And I've chosen SL because I hoped to have a distribution with stability in mind. So, up to now every update and upgrade worked like a charm. Big thumb up for all who did this work. Best regards Andreas Mock > -----Ursprüngliche Nachricht----- > Von: Nico Kadel-Garcia [mailto:[email protected]] > Gesendet: Mittwoch, 3. September 2014 13:33 > An: Andreas Mock > Cc: Patrick J. LoPresti; Pat Riehecky; SCIENTIFIC-LINUX- > [email protected] > Betreff: Re: AW: [SCIENTIFIC-LINUX-USERS] Questions about SL 7.0 > > On Wed, Sep 3, 2014 at 4:33 AM, Andreas Mock > <[email protected]> wrote: > > Hi Pat, hi Patrick, > > > > thanks for your answers and comments. > > > > How would someone like me get a SRPM for a binary package found or > > installed on a SL 7.0 system? > > > > I really don't understand in the moment how it is verified that > > sources are from RH and unaltered by someone in between. > > > > Best regards > > Andreas Mock > > Our favorite upstream vendor signs the SRPM's and RPM's with GPG > signatures, whicih can be verified from their public websites and their > installation media. So do CentOS and Scientifici Linux. > > Now, if I could just convince our new upstream software friends over at > git.centos.org to use GPG signatures for git tags, I'd be much happier about > the provenance of software in that new public repository. I'd be even > happier if the person from Red Hat who uploads the original source code > from Red Hat would GPG sign a tag for *just that code* with a Red Hat key, > and our CentOS maintainers (some of whom are now Red Hat employees!) > could GPG sign tags for CentOS modified software. But I'd be thrilled to > pieces if they'd even affix a CentOS tg to the Red HAt uploaded content, just > for the provenance concerns I've already raised. > > Sadly, my concerns about provenance have been ignored, and now the > existing Scientific Linux development from git.centos.org is being held up as > proof that git tags are not desirable and my concerns ill founded. It's quite > galling: the current semi-manual re-assembly of local branches, based on "git > log" entries, is winding up lauded as sufficient and superior because, > frankly, > it's the only thing that's currently supported. > > It's really quite galling. I've gotten quite put out with every sys-admin in > the > world thinking they can re-invent the wheel, and coming up with their own > mismatched wheels, to replace what are well designed software features > like git 'tags'.
