On 3 April 2017 at 10:53, Choong, Yin Thong <yin.thong.choong@intel.com> wrote:


The link seem like create by an individual, no a company or group. Therefore, we decide to drop this link and go for yoctoproject.org/mirror.

This is true, there's not that much in the repo itself to create trust. The major show of trust is here though: http://pkgs.fedoraproject.org/cgit/rpms/logrotate.git/commit/?id=9cb55142e51b82085d6c3136448c1f441454e351
Fedora/Red Hat themselves changed to use this repo when the fedorahosted repos were EOL'd (see also Red Hat folks working on the github issues in January).

If the release tarballs have been re-generated and the hashes no longer match, I'd still prefer modifying the recipe to use github (after manually diffing to make sure they are the same source release of course) but I can understand a differing viewpoint in this case.

It would be good to mention the issue in the commit message, whichever way this is solved.
