On 3 April 2017 at 09:30, Jussi Kukkonen <jussi.kukkonen@intel.com> wrote:

This is true, there's not that much in the repo itself to create trust. The major show of trust is here though: http://pkgs.fedoraproject.org/cgit/rpms/logrotate.git/commit/?id=9cb55142e51b82085d6c3136448c1f441454e351
Fedora/Red Hat themselves changed to use this repo when the fedorahosted repos were EOL'd (see also Red Hat folks working on the github issues in January).

So logrotate was originally hosted on Fedora infrastructure that is then shut down, a github repository appears and Fedora fetch from that github repository. Also the commit in the github repository to change the README from fedorahosted to github (https://github.com/logrotate/logrotate/commit/09c4fa8bc6cf2c01bad24d33c3ea69371030c014) was committed by a Red Hat employee (https://github.com/kdudka).

Whilst there are many official-looking forks on github that are just Some Guy, this is clearly the new canonical home.

Ross