New supply-chain security tool: backseat-signed

[Sean Whitton]

Hello,

On Sat 06 Apr 2024 at 02:42pm +03, Adrian Bunk wrote:

> On Sat, Apr 06, 2024 at 07:13:22PM +0800, Sean Whitton wrote:
>> Hello,
>>
>> On Fri 05 Apr 2024 at 01:31am +03, Adrian Bunk wrote:
>>
>> >
>> > Right now the preferred form of source in Debian is an upstream-signed
>> > release tarball, NOT anything from git.
>>
>> The preferred form of modification is not simply up for proclamation.
>> Our practices, which are focused around git, make it the case that
>> salsa & dgit in some combination are the preferred form for modification
>> for most packages.
>
> You cannot simply proclaim that some git tree is the preferred form of
> modification without shipping said git tree in our ftp archive.
>
> If your claim was true, then Debian and downstreams would be violating
> licences like the GPL by not providing the preferred form of modification
> in the archive.

Well, maybe we are!  Or maybe we're not when we publish those histories
on salsa and/or dgit-repos.

It also seems important to note that this is project-specific.  Whether
the git history is part of the preferred form of modification depends on
the project's practices and content.

I don't have a settled opinion on what we should be doing.  But what I
am sure about is that the preferred form for modification is determined
by the content of the project, and we can't change what the preferred
form for modification actually is just by choosing what exactly we
publish.

-- 
Sean Whitton
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 869 bytes
Desc: not available
URL: <http://lists.reproducible-builds.org/pipermail/rb-general/attachments/20240407/0c8433a6/attachment.sig>