----- Original Message ----- > > > On 3/12/20 10:57 AM, Bastien Nocera wrote: > > > > > > ----- Original Message ----- > > <snip> > >> The git tags are still signed by Linus. Does that cover your concerns? > > > > Not really, no. I think that multiplying the intermediaries between > > kernel.org > > and the Fedora repos by adding gitlab.com in the middle might not be the > > best of ideas. > > > > If the Fedora security team is fine with it, I'm fine with it, and even if > > I > > understand the practical concerns (pagure not being up to par to deal with > > repos that size, and without a mail gateway support), I find it slightly > > concerning. > > > > I think this boils down to how much do you trust the kernel maintainers. > Keep in mind that the existing model requires the kernel maintainers > to manually pull down a tree and extract the tarball and then upload. > You can probably trust them to not do anything malicious but mistakes > can happen (source: I screwed up many times). It's good to be concerned > about provenance as a threat model but I consider maintainers screwing > up manual tasks to be a bigger threat model to Fedora kernel security > so anything that moves towards automation is a benefit in my eyes.
For me, it's about how much we trust gitlab.com _in addition_ to trusting kernel.org and fedoraproject.org. I wouldn't be concerned at all if the new "in-between" tree was at either of those 2 locations. _______________________________________________ kernel mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected]
