Hello John, On Thu, 2017-02-09 at 16:33 +0000, John Hodrien wrote:> On Thu, 9 Feb 2017, Leonard den Ottolander wrote: > > > How about my request for checksums in the git repo? > > What checksums would you actually want in git?SRPMS are signed which allows the integrity of the contents to be checked. Such an integrity check is missing from the git repo. Either a checksum file for each file or a single checksums file per package/release holding all checksums for all files of said package/release (including the tarballs that are downloaded with get_sources.sh). Regards, Leonard. -- mount -t life -o ro /dev/dna /genetic/research
On 02/09/2017 12:50 PM, Leonard den Ottolander wrote:> Hello John, > > On Thu, 2017-02-09 at 16:33 +0000, John Hodrien wrote: >> On Thu, 9 Feb 2017, Leonard den Ottolander wrote: >> >>> How about my request for checksums in the git repo? >> >> What checksums would you actually want in git? > > SRPMS are signed which allows the integrity of the contents to be > checked. Such an integrity check is missing from the git repo. > > Either a checksum file for each file or a single checksums file per > package/release holding all checksums for all files of said > package/release (including the tarballs that are downloaded with > get_sources.sh). > > Regards, > Leonard. >Red Hat exports the source code to the repo, I don't think they are going to change what the put in. It is an extracted SRPM. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: OpenPGP digital signature URL: <http://lists.centos.org/pipermail/centos/attachments/20170209/1fb2c88e/attachment-0001.sig>
On Thu, 2017-02-09 at 12:53 -0600, Johnny Hughes wrote:> Red Hat exports the source code to the repo, I don't think they are > going to change what the put in. It is an extracted SRPM.It shouldn't be hard to generate a checksum file. Or should this request be directed at Red Hat? Regards, Leonard. -- mount -t life -o ro /dev/dna /genetic/research
On 02/09/2017 12:53 PM, Johnny Hughes wrote:> On 02/09/2017 12:50 PM, Leonard den Ottolander wrote: >> Hello John, >> >> On Thu, 2017-02-09 at 16:33 +0000, John Hodrien wrote: >>> On Thu, 9 Feb 2017, Leonard den Ottolander wrote: >>> >>>> How about my request for checksums in the git repo? >>> >>> What checksums would you actually want in git? >> >> SRPMS are signed which allows the integrity of the contents to be >> checked. Such an integrity check is missing from the git repo. >> >> Either a checksum file for each file or a single checksums file per >> package/release holding all checksums for all files of said >> package/release (including the tarballs that are downloaded with >> get_sources.sh). >> >> Regards, >> Leonard. >> > > Red Hat exports the source code to the repo, I don't think they are > going to change what the put in. It is an extracted SRPM.At the time of extraction, the <name>.metadata file is created (again, not by us, but by the Red Hat team that distributes source), and all the non-text sha1sums are in there as well as all the text sources. You can see who modifies any of those files (the text sources and the text <name>.metadata file). -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: OpenPGP digital signature URL: <http://lists.centos.org/pipermail/centos/attachments/20170209/e608ce0f/attachment-0001.sig>
On 02/09/2017 10:50 AM, Leonard den Ottolander wrote:> SRPMS are signed which allows the integrity of the contents to be > checked. Such an integrity check is missing from the git repo.Git already has the protection you're looking for. As part of its core design, git uses a hash chain to verify the integrity of its history. Every change and every file is thus protected. It's impossible to insert changes or to modify the history of the git repository in a way that wouldn't be extremely visible to all users. If you check out a module using git, and fetch its external sources using get_sources.sh, you can rest assured that every file used to build an RPM has been hashed and verified.
Hello Gordon, On Thu, 2017-02-09 at 12:38 -0800, Gordon Messmer wrote:> Git already has the protection you're looking for. As part of its core > design, git uses a hash chain to verify the integrity of its history. > Every change and every file is thus protected. It's impossible to > insert changes or to modify the history of the git repository in a way > that wouldn't be extremely visible to all users. > > If you check out a module using git, and fetch its external sources > using get_sources.sh, you can rest assured that every file used to build > an RPM has been hashed and verified.Alright, understood. Only the sources downloaded with get_sources.sh need a checksum then. Which are the ones in <package>.metadata. Thanks for clearing this up and sorry Johnny for the fuzz :) . Regards, Leonard. -- mount -t life -o ro /dev/dna /genetic/research