[arch-general] Kernel source URL change

Eli Schwartz eschwartz at archlinux.org
Wed Aug 8 20:17:09 UTC 2018


On 8/8/18 4:11 PM, Tharre via arch-general wrote:
> On 08/08, Geo Kozey via arch-general wrote:
>> There is no tradition in Arch to self-host package sources as Debian does unless upstream has
>> completely broken release process. This can impose security risks on Arch as we now have to
>> trust their github infra rather than kernel.org (we all know what happened to gentoo recently).
>> I'm aware that Barthalion made an effort to hardenize Arch github infra but still this is a new risk
>> which didn't exist before.
> [...]
>> The point was that before changes no user had to care about https://github.com/Archlinux
>> and now it's critical infrastructure for self-hosting package sources.
> 
> No, nobody has to trust github or for that fact kernel.org. The
> commits/tags are *signed* and thus makepkg will check if that signature
> matches one of those specified in the validpgpkeys array.
> 
> From a security standpoint, it's irrelevant if the sources come from
> arch hosted infra, from github, or from kernel.org.

I'm all for hosting it through bittorrent TBH.

-- 
Eli Schwartz
Bug Wrangler and Trusted User

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-general/attachments/20180808/282d5b60/attachment-0001.asc>


More information about the arch-general mailing list