On Wed, Dec 3, 2025 at 11:42 AM Ludovic Courtès <[email protected]> wrote:
> My view as a packager is that release tarballs are on the decline. In > Guix, 12k packages out of 30k (38%) have their source taken from a > tarball; see also figures 3 and 4 of > <https://hal.science/hal-04586520v1> for the general trend. > That's a fascinating statistic! > Tarballs that contain pre-built artifacts are also a bootstrapping and a > security issue, as illustrated by the attack on XZ-Utils. I remember a discussion with Mark Weaver ~10 years ago where he advocated that Guix should move away from tarball builds for security/reproducibility reasons. He saw the xz-utils attack coming. > Overall, evidence suggests that the presence or lack of release tarballs > is unrelated to a project’s health. :-) Agreed. A side effect of moving away from release tarballs is that it becomes a bit easier to eventually move away from autotools, as well. Just some food for thought. :) - Dave
