1 |
On Mon, Feb 27, 2017 at 8:10 PM, Miroslav Rovis |
2 |
<miro.rovis@××××××××××××××.hr> wrote: |
3 |
> Apologies for my not being able to reply sooner! |
4 |
> |
5 |
> On 170227-18:18+0300, Andrew Savchenko wrote: |
6 |
> |
7 |
>> > And via a new private big business, the Github. Giving over all users to |
8 |
>> > big Github brother. |
9 |
>> |
10 |
>> ??? |
11 |
>> Github is entirely optional and is only for those who want to use it |
12 |
>> (we have both users and devs willing so), but in no way anyone |
13 |
>> demands its usage. |
14 |
> Yeah! Still, it would be great if git was used in distributed way, and |
15 |
> not from a central private business... |
16 |
> |
17 |
|
18 |
Git can pretty-much ONLY be used in a distributed way. In the sync |
19 |
workflow github is basically just a mirror. A lot of our mirrors are |
20 |
run by private businesses, and nobody knows what OS they're even |
21 |
hosted on, let alone whether the firmware and CPU microcode are FOSS |
22 |
along with their hard drive firmware. |
23 |
|
24 |
As far as distribution goes I think github is the wrong thing to worry |
25 |
about. What you want is traceable signatures from dev to user. Once |
26 |
you have that you can download from an NSA mirror and there shouldn't |
27 |
be any risk. All a mirror does is replicate data, and if |
28 |
modifications are detectable the worst they can do is a DoS. |
29 |
|
30 |
Most of the concerns that people tend to have with github is that you |
31 |
can become dependent on them for issue and pull request tracking and |
32 |
then if they decide to pull the plug you lose all that data. We try |
33 |
to minimize the use of these features and not make it a core part of |
34 |
the dev workflow. But, we do use pull requests and in theory we could |
35 |
lose those someday. The actual code itself gets pushed to the Gentoo |
36 |
infra Repo from a developer's box using plain old git after they've |
37 |
inspected/tested/etc it. So, there isn't really any way for Github to |
38 |
go injecting commits into the repositories we actually use. I guess |
39 |
they could do it for anybody using our github mirrors on the |
40 |
distribution side, but that's only because we don't have that all |
41 |
locked down and the same issue applies with any other mirror (rsync, |
42 |
etc). Again, you really need end-to-end signature checking to make |
43 |
any of these things truly safe. |
44 |
|
45 |
-- |
46 |
Rich |