On 08/08/18 12:43, Geo Kozey via arch-general wrote:
This can impose security risks on Arch as we now have to trust their github infra rather than kernel.org (we all know what happened to gentoo recently)
Just to provide some perspective, kernel.org itself had a major issue a few years back [1][2][3]. kernel.org was down for several weeks after that incident, and IIRC this prompted them to start using GitHub (at least as a mirror; my memory is fuzzy as I wasn't paying all that much attention to that sort of thing seven years ago). If you don't trust the Arch-run/administered infrastructure you can't really trust any of the packages in the repos either. [1] https://www.theregister.co.uk/2011/08/31/linux_kernel_security_breach/ [2] https://en.wikipedia.org/wiki/Kernel.org [3] https://www.linuxfoundation.org/blog/2011/08/the-cracking-of-kernel-org/