On Thu, Mar 12, 2020 at 9:58 AM Bastien Nocera <bnocera(a)redhat.com> wrote:
----- Original Message -----
<snip>
> The git tags are still signed by Linus. Does that cover your concerns?
Not really, no. I think that multiplying the intermediaries between
kernel.org
and the Fedora repos by adding
gitlab.com in the middle might not be the
best of ideas.
If the Fedora security team is fine with it, I'm fine with it, and even if
I
understand the practical concerns (pagure not being up to par to deal with
repos that size, and without a mail gateway support), I find it slightly
concerning.
I don't really see how this is relevant in regards to
kernel.org.
dist-git
still uses the lookaside for tarballs, which are downloaded from
kernel.org, signature verified, and uploaded independent of anything gitlab
is doing. Development work happens on top of a tree at gitlab, which is
how our fedora specific patches, config options, and spec file are
maintained, but none of this is on
kernel.org anyway. The tree used as a
basis does use the
kernel.org tree, but this is not much different from
cloning a tree anywhere else and doing development on top of it.
Justin