On Thu, Mar 12, 2020 at 9:58 AM Bastien Nocera bnocera@redhat.com wrote:
----- Original Message -----
<snip> > The git tags are still signed by Linus. Does that cover your concerns?
Not really, no. I think that multiplying the intermediaries between kernel.org and the Fedora repos by adding gitlab.com in the middle might not be the best of ideas.
If the Fedora security team is fine with it, I'm fine with it, and even if I understand the practical concerns (pagure not being up to par to deal with repos that size, and without a mail gateway support), I find it slightly concerning.
I don't really see how this is relevant in regards to kernel.org.
dist-git still uses the lookaside for tarballs, which are downloaded from kernel.org, signature verified, and uploaded independent of anything gitlab is doing. Development work happens on top of a tree at gitlab, which is how our fedora specific patches, config options, and spec file are maintained, but none of this is on kernel.org anyway. The tree used as a basis does use the kernel.org tree, but this is not much different from cloning a tree anywhere else and doing development on top of it.
Justin