> From: Jonathon Fernyhough <jonathon@xxxxxxxxxxx> > Sent: Wed Aug 08 18:09:30 CEST 2018 > To: <arch-general@xxxxxxxxxxxxx> > Subject: Re: Kernel source URL change > > > On 08/08/18 12:43, Geo Kozey via arch-general wrote: > > This can impose security risks on Arch as we now have to > > trust their github infra rather than kernel.org (we all know what happened to gentoo recently) > > Just to provide some perspective, kernel.org itself had a major issue a > few years back [1][2][3]. kernel.org was down for several weeks after > that incident, and IIRC this prompted them to start using GitHub (at > least as a mirror; my memory is fuzzy as I wasn't paying all that much > attention to that sort of thing seven years ago). > IIRC in 2011 Arch didn't even used gpg for signing packages so it's quite ancient time. > If you don't trust the Arch-run/administered infrastructure you can't > really trust any of the packages in the repos either. > The point was that before changes no user had to care about https://github.com/Archlinux and now it's critical infrastructure for self-hosting package sources. > [1] https://www.theregister.co.uk/2011/08/31/linux_kernel_security_breach/ > [2] https://en.wikipedia.org/wiki/Kernel.org > [3] https://www.linuxfoundation.org/blog/2011/08/the-cracking-of-kernel-org/ > Yours sincerely G. K.
