Hello, Simen Endsjø <[email protected]> writes:
> But I guess this point is a best-effort tip? When there is no release > with a supplied hash, I have no way of knowing and have to trust that > the repository is not tainted at the time I add the hash to the package. Yeah, it’s best-effort, and clearly not all upstreams are as principled as we’d like in this area. Ludo’.
