New supply-chain security tool: backseat-signed
Adrian Bunk
bunk at debian.org
Sat Apr 6 11:42:33 UTC 2024
On Sat, Apr 06, 2024 at 07:13:22PM +0800, Sean Whitton wrote:
> Hello,
>
> On Fri 05 Apr 2024 at 01:31am +03, Adrian Bunk wrote:
>
> >
> > Right now the preferred form of source in Debian is an upstream-signed
> > release tarball, NOT anything from git.
>
> The preferred form of modification is not simply up for proclamation.
> Our practices, which are focused around git, make it the case that
> salsa & dgit in some combination are the preferred form for modification
> for most packages.
You cannot simply proclaim that some git tree is the preferred form of
modification without shipping said git tree in our ftp archive.
If your claim was true, then Debian and downstreams would be violating
licences like the GPL by not providing the preferred form of modification
in the archive.
> Sean Whitton
cu
Adrian
More information about the rb-general
mailing list