On 08/08, Geo Kozey via arch-general wrote: > There is no tradition in Arch to self-host package sources as Debian does unless upstream has > completely broken release process. This can impose security risks on Arch as we now have to > trust their github infra rather than kernel.org (we all know what happened to gentoo recently). > I'm aware that Barthalion made an effort to hardenize Arch github infra but still this is a new risk > which didn't exist before. [...] > The point was that before changes no user had to care about https://github.com/Archlinux > and now it's critical infrastructure for self-hosting package sources. No, nobody has to trust github or for that fact kernel.org. The commits/tags are *signed* and thus makepkg will check if that signature matches one of those specified in the validpgpkeys array. From a security standpoint, it's irrelevant if the sources come from arch hosted infra, from github, or from kernel.org. Regards, Tharre -- PGP fingerprint: 42CE 7698 D6A0 6129 AA16 EF5C 5431 BDE2 C8F0 B2F4
Attachment:
signature.asc
Description: PGP signature
