On 3/12/20 10:57 AM, Bastien Nocera wrote:
----- Original Message -----
<snip>
The git tags are still signed by Linus. Does that cover your concerns?
Not really, no. I think that multiplying the intermediaries between kernel.org
and the Fedora repos by adding gitlab.com in the middle might not be the
best of ideas.
If the Fedora security team is fine with it, I'm fine with it, and even if I
understand the practical concerns (pagure not being up to par to deal with
repos that size, and without a mail gateway support), I find it slightly
concerning.
I think this boils down to how much do you trust the kernel maintainers.
Keep in mind that the existing model requires the kernel maintainers
to manually pull down a tree and extract the tarball and then upload.
You can probably trust them to not do anything malicious but mistakes
can happen (source: I screwed up many times). It's good to be concerned
about provenance as a threat model but I consider maintainers screwing
up manual tasks to be a bigger threat model to Fedora kernel security
so anything that moves towards automation is a benefit in my eyes.
Thanks,
Laura
_______________________________________________
kernel mailing list -- kernel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to kernel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/kernel@xxxxxxxxxxxxxxxxxxxxxxx
