Re: Validating tarballs against git repositories

To: debian-devel@lists.debian.org
Cc: debian-devel@lists.debian.org
Subject: Re: Validating tarballs against git repositories
From: Marco d'Itri <md@Linux.IT>
Date: Sat, 6 Apr 2024 00:44:44 +0200
Message-id: <[🔎] ZhB-3DeR1TkOXMXA@bongo.bofh.it>
In-reply-to: <[🔎] ZhAIa9zRg_EmlmGH@remnant.pseudorandom.co.uk>
References: <2fbfdafc-31f1-43df-be49-f6b0725bfb3e@aerusso.net> <ZgeYAQuIz7DBtunP@thunder.hadrons.org> <61e2abfa-b041-4f8d-af9b-a7183cc653e1@gmail.com> <ZggQpT5sJlEryTX1@thunder.hadrons.org> <[🔎] ZhAIa9zRg_EmlmGH@remnant.pseudorandom.co.uk>

On Apr 05, Simon McVittie <smcv@debian.org> wrote:

> I find that having the upstream source code in git (in the same form that
> we use for the .orig.tar.*, so including Autotools noise, etc. if present,
> but excluding any files that we exclude by repacking) is an extremely
> useful tool, because it lets me trace the history of all of the files
> that we are treating as source - whether hand-written or autogenerated -
> if I want to do that. If we are concerned about defending against actively
I agree: it would be untinkable for me to not have the complete history 
immediately available while I am working on a package.

-- 
ciao,
Marco

Attachment: signature.asc
Description: PGP signature

Reply to:

References:
- Re: Validating tarballs against git repositories
  - From: Simon McVittie <smcv@debian.org>

Prev by Date: Re: xz backdoor
Next by Date: Re: New supply-chain security tool: backseat-signed
Previous by thread: Re: Validating tarballs against git repositories
Next by thread: Re: Validating tarballs against git repositories
Index(es):
- Date
- Thread