On August 8, 2018 4:54 AM, Giancarlo Razzolini via arch-general <arch-general@archlinux.org> wrote:
> Em agosto 7, 2018 23:31 W B via arch-general escreveu: > > > It isn't an order. > > > > > Can you tell us why this change was required, please? > > Have you read the original post to the list? Specially this [0]? > The author of original post was only speculating about possible reasons for the recent changes. He also asked few questions which weren't answered. > Those tar files you just linked are not signed by Linus anymore, they are > signed > instead by Greg Kroah-Hartman. You would have known this if you bothered to > actually > download them and check the signature. > Greg Kroah-Hartman PGP key was already included as validpkgkey inside PKGBUILD so there is no real argument here. > Another reason for this move is to apply our patches as commits. You can use > any other > kernel if you want. > There is no tradition in Arch to self-host package sources as Debian does unless upstream has completely broken release process. This can impose security risks on Arch as we now have to trust their github infra rather than kernel.org (we all know what happened to gentoo recently). I'm aware that Barthalion made an effort to hardenize Arch github infra but still this is a new risk which didn't exist before. Is it general Arch move to self-host sources and applying patches as commits or will linux kernel package stay as outlier? > [0] https://www.kernel.org/minor-changes-to-tarball-release-format.html > > Cheers, > Giancarlo Razzolini Yours sincerely G. K.
