Hello, Andreas Enge <andr...@enge.fr> writes:
> Well, I would say it also depends on the upstream project. I am > maintainer (and releaser) of a GNU project that by tradition relies on > tarballs as releases. These are created by "make distcheck" and tested > as such on other architectures. Then they are signed and uploaded. > Probably you would get the same result by using the corresponding > git tag, but this is not what I would consider our release. I think it’s a tradition worth questioning, especially after the xz fiasco which showed by example why bootstrapping (building from source) and having reproducible builds matter. Ludo’.
