new | ask | show | jobs
lrvick 4 days ago  [ - ]

If we put out our own tar of all the sources, who is to say we did not tamper with them? This is a bit of a lose/lose but we have a solution we are working on with other distros to have a shared repository for all these, often legacy, sources and a universal swhid identifier for each one we can pin in stagex so they are highly tamper evident.

For shorter term we are starting to archive at archive.org and CERN and hope to have the fetch script be able to fail over to those soon.

The GNU servers are the worst, and unreliable for hours at a time, and have lots of rate limiting.

At the moment collecting all the sources directly from upstreams, while great for trust building, is the biggest pain point. Sorry about that!

For the super short term join #stagex:matrix.org and anyone would be happy to wormhole you their "fetch" directory.

 4 days ago  [ - ]
[deleted]
 4 days ago  [ - ]
[deleted]