On 8/8/18 4:11 PM, Tharre via arch-general wrote: > On 08/08, Geo Kozey via arch-general wrote: >> There is no tradition in Arch to self-host package sources as Debian does unless upstream has >> completely broken release process. This can impose security risks on Arch as we now have to >> trust their github infra rather than kernel.org (we all know what happened to gentoo recently). >> I'm aware that Barthalion made an effort to hardenize Arch github infra but still this is a new risk >> which didn't exist before. > [...] >> The point was that before changes no user had to care about https://github.com/Archlinux >> and now it's critical infrastructure for self-hosting package sources. > > No, nobody has to trust github or for that fact kernel.org. The > commits/tags are *signed* and thus makepkg will check if that signature > matches one of those specified in the validpgpkeys array. > > From a security standpoint, it's irrelevant if the sources come from > arch hosted infra, from github, or from kernel.org. I'm all for hosting it through bittorrent TBH. -- Eli Schwartz Bug Wrangler and Trusted User
Attachment:
signature.asc
Description: OpenPGP digital signature
