[arch-general] Kernel source URL change

Geo Kozey geokozey at mailfence.com
Wed Aug 8 16:47:42 UTC 2018

> From: Jonathon Fernyhough <jonathon at manjaro.org>
> Sent: Wed Aug 08 18:09:30 CEST 2018
> To: <arch-general at archlinux.org>
> Subject: Re: [arch-general] Kernel source URL change
> On 08/08/18 12:43, Geo Kozey via arch-general wrote:
> > This can impose security risks on Arch as we now have to
> > trust their github infra rather than kernel.org (we all know what happened to gentoo recently)
> Just to provide some perspective, kernel.org itself had a major issue a
> few years back [1][2][3]. kernel.org was down for several weeks after
> that incident, and IIRC this prompted them to start using GitHub (at
> least as a mirror; my memory is fuzzy as I wasn't paying all that much
> attention to that sort of thing seven years ago).

IIRC in 2011 Arch didn't even used gpg for signing packages so it's quite ancient time.

> If you don't trust the Arch-run/administered infrastructure you can't
> really trust any of the packages in the repos either.

The point was that before changes no user had to care about https://github.com/Archlinux
and now it's critical infrastructure for self-hosting package sources.

> [1] https://www.theregister.co.uk/2011/08/31/linux_kernel_security_breach/
> [2] https://en.wikipedia.org/wiki/Kernel.org
> [3] https://www.linuxfoundation.org/blog/2011/08/the-cracking-of-kernel-org/

Yours sincerely

G. K.

More information about the arch-general mailing list