From: Jonathon Fernyhough <jonathon@manjaro.org> Sent: Wed Aug 08 18:09:30 CEST 2018 To: <arch-general@archlinux.org> Subject: Re: [arch-general] Kernel source URL change
On 08/08/18 12:43, Geo Kozey via arch-general wrote:
This can impose security risks on Arch as we now have to trust their github infra rather than kernel.org (we all know what happened to gentoo recently)
Just to provide some perspective, kernel.org itself had a major issue a few years back [1][2][3]. kernel.org was down for several weeks after that incident, and IIRC this prompted them to start using GitHub (at least as a mirror; my memory is fuzzy as I wasn't paying all that much attention to that sort of thing seven years ago).
IIRC in 2011 Arch didn't even used gpg for signing packages so it's quite ancient time.
If you don't trust the Arch-run/administered infrastructure you can't really trust any of the packages in the repos either.
The point was that before changes no user had to care about https://github.com/Archlinux and now it's critical infrastructure for self-hosting package sources.
[1] https://www.theregister.co.uk/2011/08/31/linux_kernel_security_breach/ [2] https://en.wikipedia.org/wiki/Kernel.org [3] https://www.linuxfoundation.org/blog/2011/08/the-cracking-of-kernel-org/
Yours sincerely G. K.