On Thu, Mar 12, 2020 at 9:58 AM Bastien Nocera <bnocera@xxxxxxxxxx> wrote: > > > ----- Original Message ----- > <snip> > > The git tags are still signed by Linus. Does that cover your concerns? > > Not really, no. I think that multiplying the intermediaries between > kernel.org > and the Fedora repos by adding gitlab.com in the middle might not be the > best of ideas. > > If the Fedora security team is fine with it, I'm fine with it, and even if > I > understand the practical concerns (pagure not being up to par to deal with > repos that size, and without a mail gateway support), I find it slightly > concerning. > > I don't really see how this is relevant in regards to kernel.org. dist-git still uses the lookaside for tarballs, which are downloaded from kernel.org, signature verified, and uploaded independent of anything gitlab is doing. Development work happens on top of a tree at gitlab, which is how our fedora specific patches, config options, and spec file are maintained, but none of this is on kernel.org anyway. The tree used as a basis does use the kernel.org tree, but this is not much different from cloning a tree anywhere else and doing development on top of it. Justin _______________________________________________ kernel mailing list -- kernel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to kernel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/kernel@xxxxxxxxxxxxxxxxxxxxxxx
