On Wed, Sep 3, 2014 at 8:38 PM, Nico Kadel-Garcia <[email protected]> wrote: > On Wed, Sep 3, 2014 at 1:45 PM, R P Herrold <[email protected]> wrote: >> On Wed, 3 Sep 2014, Nico Kadel-Garcia wrote: >> >>> It's quite galling: the current semi-manual re-assembly of >>> local branches, based on "git log" entries, is winding up >>> lauded as sufficient and superior because, frankly, it's the >>> only thing that's currently supported. >> >> Nico >> >> I get it -- you are unhappy about unsigned SRPMS. I am >> located in the US and so readily subject of the reach the >> upstream as a target for litigation on perceived EULA / terms >> of use / etc violations. I won't be exposing such a tool >> publicly, but then ...
And oh, yes, the SRPM's are signed. That's not my concern. It's the lack of provenance or verifiability for the "canonical" content at git.centos.org. CentOS, and Scientific Linux, and almost every RPM publisher, sign their RPM's and SRPM;s with relevant GPG tags. It's the uncertainty of copying a git repo, possibly even a poisoned one, and not being able to tell if the code is valid in your copies or copies of copies.
