[arch-general] Kernel source URL change
Geo Kozey
geokozey at mailfence.com
Wed Aug 8 11:43:08 UTC 2018
On August 8, 2018 4:54 AM, Giancarlo Razzolini via arch-general <arch-general at archlinux.org> wrote:
> Em agosto 7, 2018 23:31 W B via arch-general escreveu:
>
> > It isn't an order.
> >
> > > Can you tell us why this change was required, please?
>
> Have you read the original post to the list? Specially this [0]?
>
The author of original post was only speculating about possible reasons for the recent
changes. He also asked few questions which weren't answered.
> Those tar files you just linked are not signed by Linus anymore, they are signed
> instead by Greg Kroah-Hartman. You would have known this if you bothered to actually
> download them and check the signature.
>
Greg Kroah-Hartman PGP key was already included as validpkgkey inside PKGBUILD so there
is no real argument here.
> Another reason for this move is to apply our patches as commits. You can use any other
> kernel if you want.
>
There is no tradition in Arch to self-host package sources as Debian does unless upstream has
completely broken release process. This can impose security risks on Arch as we now have to
trust their github infra rather than kernel.org (we all know what happened to gentoo recently).
I'm aware that Barthalion made an effort to hardenize Arch github infra but still this is a new risk
which didn't exist before.
Is it general Arch move to self-host sources and applying patches as commits or will linux kernel
package stay as outlier?
> [0] https://www.kernel.org/minor-changes-to-tarball-release-format.html
>
> Cheers,
> Giancarlo Razzolini
Yours sincerely
G. K.
More information about the arch-general
mailing list