On 08/08/18 12:43, Geo Kozey via arch-general wrote: > This can impose security risks on Arch as we now have to > trust their github infra rather than kernel.org (we all know what happened to > gentoo recently)
Just to provide some perspective, kernel.org itself had a major issue a few years back [1][2][3]. kernel.org was down for several weeks after that incident, and IIRC this prompted them to start using GitHub (at least as a mirror; my memory is fuzzy as I wasn't paying all that much attention to that sort of thing seven years ago). If you don't trust the Arch-run/administered infrastructure you can't really trust any of the packages in the repos either. [1] https://www.theregister.co.uk/2011/08/31/linux_kernel_security_breach/ [2] https://en.wikipedia.org/wiki/Kernel.org [3] https://www.linuxfoundation.org/blog/2011/08/the-cracking-of-kernel-org/
signature.asc
Description: OpenPGP digital signature
