[arch-general] Kernel source URL change
Geo Kozey
geokozey at mailfence.com
Wed Aug 8 16:47:42 UTC 2018
> From: Jonathon Fernyhough <jonathon at manjaro.org>
> Sent: Wed Aug 08 18:09:30 CEST 2018
> To: <arch-general at archlinux.org>
> Subject: Re: [arch-general] Kernel source URL change
>
>
> On 08/08/18 12:43, Geo Kozey via arch-general wrote:
> > This can impose security risks on Arch as we now have to
> > trust their github infra rather than kernel.org (we all know what happened to gentoo recently)
>
> Just to provide some perspective, kernel.org itself had a major issue a
> few years back [1][2][3]. kernel.org was down for several weeks after
> that incident, and IIRC this prompted them to start using GitHub (at
> least as a mirror; my memory is fuzzy as I wasn't paying all that much
> attention to that sort of thing seven years ago).
>
IIRC in 2011 Arch didn't even used gpg for signing packages so it's quite ancient time.
> If you don't trust the Arch-run/administered infrastructure you can't
> really trust any of the packages in the repos either.
>
The point was that before changes no user had to care about https://github.com/Archlinux
and now it's critical infrastructure for self-hosting package sources.
> [1] https://www.theregister.co.uk/2011/08/31/linux_kernel_security_breach/
> [2] https://en.wikipedia.org/wiki/Kernel.org
> [3] https://www.linuxfoundation.org/blog/2011/08/the-cracking-of-kernel-org/
>
Yours sincerely
G. K.
More information about the arch-general
mailing list