New supply-chain security tool: backseat-signed

Sean Whitton spwhitton at
Sun Apr 7 07:43:13 UTC 2024


On Sat 06 Apr 2024 at 02:24pm +02, Guillem Jover wrote:

> Hi!
> On Sat, 2024-04-06 at 19:13:22 +0800, Sean Whitton wrote:
>> On Fri 05 Apr 2024 at 01:31am +03, Adrian Bunk wrote:
>> > Right now the preferred form of source in Debian is an upstream-signed
>> > release tarball, NOT anything from git.
>> The preferred form of modification is not simply up for proclamation.
>> Our practices, which are focused around git, make it the case that
>> salsa & dgit in some combination are the preferred form for modification
>> for most packages.
> People keep bringing this up, and it keeps making no sense. I've
> covered this over the years in:
> (There's in addition the part that Adrian covers in another reply.)

I understand this point of view.  The situation is not clear.
But it is at least plausible that for some projects, the git history is
part of the preferred form for modification.  It is certainly not always

I think that this point is largely academic, however.  We are doing a
disservice to our users if they have to go hunting beyond Debian
services to find the upstream git history, because they'll likely want
it if they indeed do want to modify packages installed on their system.
Our own git histories of packaging changes aren't enough.  So we should
be hosting both, on some combination of salsa and dgit-repos.

Sean Whitton
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 869 bytes
Desc: not available
URL: <>

More information about the rb-general mailing list