Otto Kekäläinen <o...@debian.org> writes: > > I just want to re-iterate that I like the idea of having DD signed git > tags trigger uploads to Debian. It has many benefits in quality and > security. I just wish we could get it without taking steps backward on > security aspects. >
Not a DD (yet), though I would like to think that in the post Jia-Tan-xz-incident world we should reconsider the security guarantee of an upstream tarball, which can be intentionally prepared by a malicious upstream with payload not available in the Git tag. A Git tag may be more trustworthy as the content is more easily accessible and hence more eyes of scrutiny. Of course if upstream doesn't use Git it's another story. Just my 2 cents. -- Regards, Xiyue Deng
signature.asc
Description: PGP signature
