On 8/8/18 4:11 PM, Tharre via arch-general wrote:
On 08/08, Geo Kozey via arch-general wrote:
There is no tradition in Arch to self-host package sources as Debian does unless upstream has completely broken release process. This can impose security risks on Arch as we now have to trust their github infra rather than kernel.org (we all know what happened to gentoo recently). I'm aware that Barthalion made an effort to hardenize Arch github infra but still this is a new risk which didn't exist before. [...] The point was that before changes no user had to care about https://github.com/Archlinux and now it's critical infrastructure for self-hosting package sources.
No, nobody has to trust github or for that fact kernel.org. The commits/tags are *signed* and thus makepkg will check if that signature matches one of those specified in the validpgpkeys array.
From a security standpoint, it's irrelevant if the sources come from arch hosted infra, from github, or from kernel.org.
I'm all for hosting it through bittorrent TBH. -- Eli Schwartz Bug Wrangler and Trusted User