[arch-general] Kernel source URL change

Jonathon Fernyhough jonathon at manjaro.org
Wed Aug 8 16:09:30 UTC 2018


On 08/08/18 12:43, Geo Kozey via arch-general wrote:
> This can impose security risks on Arch as we now have to
> trust their github infra rather than kernel.org (we all know what happened to gentoo recently)

Just to provide some perspective, kernel.org itself had a major issue a
few years back [1][2][3]. kernel.org was down for several weeks after
that incident, and IIRC this prompted them to start using GitHub (at
least as a mirror; my memory is fuzzy as I wasn't paying all that much
attention to that sort of thing seven years ago).

If you don't trust the Arch-run/administered infrastructure you can't
really trust any of the packages in the repos either.

[1] https://www.theregister.co.uk/2011/08/31/linux_kernel_security_breach/
[2] https://en.wikipedia.org/wiki/Kernel.org
[3] https://www.linuxfoundation.org/blog/2011/08/the-cracking-of-kernel-org/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-general/attachments/20180808/5bbee77a/attachment.asc>


More information about the arch-general mailing list