Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
baobun 6 days ago

Mostly agree.

I think they have some improvement to do on supply-chain though. A lot of random COPRs and kernel patches pulled in from various random third- and first party repos that I think should get consolidated before I can consider it mature and really ready for prime time.

Similarly it would also be nice to see end-to-end builds being reproducible locally. (Things are currently hardcoded to github.com or tied to GitHub Actions in a few places. The patching required for that is nothing crazy - Good First Issue material :))

jcastro 3 days ago | parent | next [-]

For Bluefin LTS we're in control of all the 3rd party repositories we use. We depend on EPEL but so does everybody else. I am unaware of any kernel patches that we are shipping since we ship the default CentOS Stream kernel and the optional hwe kernel ships CentOSs' kmod kernel.

baobun 3 days ago | parent | next [-]

Really? Do you control the negativo17.org repo (just one example from akmods)?

https://github.com/ublue-os/akmods/blob/9946c17373b1a49e60a0...

https://github.com/ublue-os/bluefin-lts/blob/84cac6e9a063ec5...

How about jreilly1821? Looks like nothing's really preventing them from sneaking in a malicious version of glib2..

https://github.com/ublue-os/bluefin-lts/blob/84cac6e9a063ec5...

jcastro a day ago | parent | next [-]

I would be in trouble if I didn't trust jreilly1821 since he's one of the Bluefin maintainers. And the nvidia binaries come from an nvidia employee.

trogdor3000 2 days ago | parent | prev [-]

Hi I'm jreilly1821, I made those COPRs for Bluefin LTS. I guess I could put something malicious but you can see that they are all just packages from Fedora DistGit. I'm not sure what your preference would be? I think distros have mystique given to them that is misappropriated. At the end of the day they are mostly middlemen packaging someone else's code.

Bootc is and will change things, images will be tested as an integrated experience and we'll continue to strive to pull from as far upstream as we can.

Negativo17 is Simone, an NVIDIA employee who has been instrumental in packaging nvidia drivers for linux for years. I don't know for certain, but I wouldn't be suprised if they are also doing the official packaging for nvidia drivers as well. Needless to say they are very trusted and a known entity in the Linux community

hedora 3 days ago | parent | prev [-]

You control github?

bjconlan 3 days ago | parent | prev [-]

Perhaps if a supply chain attack is your largest concern then using some well vetted system like wolfi is more up your alley. (See some of their related repos on GitHub https://github.com/projectbluefin - I've been following the development of it and currently it still under development.)

Again "vetting" is a source of contention here as I'm not sure how the quality of official rpm sources compare to those outlined in an sbom