New supply-chain security tool: backseat-signed
Guillem Jover
guillem at debian.org
Sat Apr 6 12:24:28 UTC 2024
Hi!
On Sat, 2024-04-06 at 19:13:22 +0800, Sean Whitton wrote:
> On Fri 05 Apr 2024 at 01:31am +03, Adrian Bunk wrote:
> > Right now the preferred form of source in Debian is an upstream-signed
> > release tarball, NOT anything from git.
>
> The preferred form of modification is not simply up for proclamation.
> Our practices, which are focused around git, make it the case that
> salsa & dgit in some combination are the preferred form for modification
> for most packages.
People keep bringing this up, and it keeps making no sense. I've
covered this over the years in:
https://lists.debian.org/debian-devel/2014/03/msg00330.html
https://lists.debian.org/debian-project/2019/07/msg00180.html
(There's in addition the part that Adrian covers in another reply.)
Thanks,
Guillem
More information about the rb-general
mailing list