Re: [arch-general] Kernel source URL change
On August 8, 2018 4:54 AM, Giancarlo Razzolini via arch-general <arch-general@archlinux.org> wrote:
Em agosto 7, 2018 23:31 W B via arch-general escreveu:
It isn't an order.
Can you tell us why this change was required, please?
Have you read the original post to the list? Specially this [0]?
The author of original post was only speculating about possible reasons for the recent changes. He also asked few questions which weren't answered.
Those tar files you just linked are not signed by Linus anymore, they are signed instead by Greg Kroah-Hartman. You would have known this if you bothered to actually download them and check the signature.
Greg Kroah-Hartman PGP key was already included as validpkgkey inside PKGBUILD so there is no real argument here.
Another reason for this move is to apply our patches as commits. You can use any other kernel if you want.
There is no tradition in Arch to self-host package sources as Debian does unless upstream has completely broken release process. This can impose security risks on Arch as we now have to trust their github infra rather than kernel.org (we all know what happened to gentoo recently). I'm aware that Barthalion made an effort to hardenize Arch github infra but still this is a new risk which didn't exist before. Is it general Arch move to self-host sources and applying patches as commits or will linux kernel package stay as outlier?
[0] https://www.kernel.org/minor-changes-to-tarball-release-format.html
Cheers, Giancarlo Razzolini
Yours sincerely G. K.
On Wed, 8 Aug 2018 13:43:08 +0200 (CEST), Geo Kozey wrote:
The author of original post [snip] asked few questions which weren't answered.
Hi, the OP did ask how to build a custom kernel based on the official linux package [1]. Perhaps somebody with unobjectionable knowledge could correct related Wiki pages, at least https://wiki.archlinux.org/index.php/Kernels/Arch_Build_System . TIA, Ralf [1] On Wed, 1 Aug 2018 23:41:12 +0300, Andrey Vihrov via arch-general wrote:
Previously, if a new kernel version is released and is not yet in the repos, you could more or less take the official linux PKGBUILD, change one number and build it yourself. With the new layout it is not clear how to achieve this.
On 08/08/18 12:43, Geo Kozey via arch-general wrote:
This can impose security risks on Arch as we now have to trust their github infra rather than kernel.org (we all know what happened to gentoo recently)
Just to provide some perspective, kernel.org itself had a major issue a few years back [1][2][3]. kernel.org was down for several weeks after that incident, and IIRC this prompted them to start using GitHub (at least as a mirror; my memory is fuzzy as I wasn't paying all that much attention to that sort of thing seven years ago). If you don't trust the Arch-run/administered infrastructure you can't really trust any of the packages in the repos either. [1] https://www.theregister.co.uk/2011/08/31/linux_kernel_security_breach/ [2] https://en.wikipedia.org/wiki/Kernel.org [3] https://www.linuxfoundation.org/blog/2011/08/the-cracking-of-kernel-org/
From: Jonathon Fernyhough <jonathon@manjaro.org> Sent: Wed Aug 08 18:09:30 CEST 2018 To: <arch-general@archlinux.org> Subject: Re: [arch-general] Kernel source URL change
On 08/08/18 12:43, Geo Kozey via arch-general wrote:
This can impose security risks on Arch as we now have to trust their github infra rather than kernel.org (we all know what happened to gentoo recently)
Just to provide some perspective, kernel.org itself had a major issue a few years back [1][2][3]. kernel.org was down for several weeks after that incident, and IIRC this prompted them to start using GitHub (at least as a mirror; my memory is fuzzy as I wasn't paying all that much attention to that sort of thing seven years ago).
IIRC in 2011 Arch didn't even used gpg for signing packages so it's quite ancient time.
If you don't trust the Arch-run/administered infrastructure you can't really trust any of the packages in the repos either.
The point was that before changes no user had to care about https://github.com/Archlinux and now it's critical infrastructure for self-hosting package sources.
[1] https://www.theregister.co.uk/2011/08/31/linux_kernel_security_breach/ [2] https://en.wikipedia.org/wiki/Kernel.org [3] https://www.linuxfoundation.org/blog/2011/08/the-cracking-of-kernel-org/
Yours sincerely G. K.
On 08/08, Geo Kozey via arch-general wrote:
There is no tradition in Arch to self-host package sources as Debian does unless upstream has completely broken release process. This can impose security risks on Arch as we now have to trust their github infra rather than kernel.org (we all know what happened to gentoo recently). I'm aware that Barthalion made an effort to hardenize Arch github infra but still this is a new risk which didn't exist before. [...] The point was that before changes no user had to care about https://github.com/Archlinux and now it's critical infrastructure for self-hosting package sources.
No, nobody has to trust github or for that fact kernel.org. The commits/tags are *signed* and thus makepkg will check if that signature matches one of those specified in the validpgpkeys array. From a security standpoint, it's irrelevant if the sources come from arch hosted infra, from github, or from kernel.org. Regards, Tharre -- PGP fingerprint: 42CE 7698 D6A0 6129 AA16 EF5C 5431 BDE2 C8F0 B2F4
On 8/8/18 4:11 PM, Tharre via arch-general wrote:
On 08/08, Geo Kozey via arch-general wrote:
There is no tradition in Arch to self-host package sources as Debian does unless upstream has completely broken release process. This can impose security risks on Arch as we now have to trust their github infra rather than kernel.org (we all know what happened to gentoo recently). I'm aware that Barthalion made an effort to hardenize Arch github infra but still this is a new risk which didn't exist before. [...] The point was that before changes no user had to care about https://github.com/Archlinux and now it's critical infrastructure for self-hosting package sources.
No, nobody has to trust github or for that fact kernel.org. The commits/tags are *signed* and thus makepkg will check if that signature matches one of those specified in the validpgpkeys array.
From a security standpoint, it's irrelevant if the sources come from arch hosted infra, from github, or from kernel.org.
I'm all for hosting it through bittorrent TBH. -- Eli Schwartz Bug Wrangler and Trusted User
participants (5)
-
Eli Schwartz
-
Geo Kozey
-
Jonathon Fernyhough
-
Ralf Mardorf
-
Tharre