[arch-general] Kernel source URL change

Tharre tharre3 at gmail.com
Wed Aug 8 20:11:23 UTC 2018


On 08/08, Geo Kozey via arch-general wrote:
> There is no tradition in Arch to self-host package sources as Debian does unless upstream has
> completely broken release process. This can impose security risks on Arch as we now have to
> trust their github infra rather than kernel.org (we all know what happened to gentoo recently).
> I'm aware that Barthalion made an effort to hardenize Arch github infra but still this is a new risk
> which didn't exist before.
[...]
> The point was that before changes no user had to care about https://github.com/Archlinux
> and now it's critical infrastructure for self-hosting package sources.

No, nobody has to trust github or for that fact kernel.org. The
commits/tags are *signed* and thus makepkg will check if that signature
matches one of those specified in the validpgpkeys array.

From a security standpoint, it's irrelevant if the sources come from
arch hosted infra, from github, or from kernel.org.

Regards,
Tharre

-- 
PGP fingerprint: 42CE 7698 D6A0 6129 AA16  EF5C 5431 BDE2 C8F0 B2F4
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL: <https://lists.archlinux.org/pipermail/arch-general/attachments/20180808/4888506a/attachment.asc>


More information about the arch-general mailing list