On 2024-04-01 12:44, Bastian Blank wrote:
So in the end you still need to manually review all the stuff that the
tarball contains extra to the git. And for that I don't see that it
actually gives some helping hands and makes it easier.
So I really don't see how this makes the problem in hand any better.
Again the workload of review is on the person doing the job. Aka we do
fragile manual work instead of possibly failing automatic work.
I think that if Debian was using git instead of the generated tarball,
this part of the backdoor would have just been included in the git
repository as well. If we were able to magically switch everything to
git (and we won't, we are not even able to agree on simpler stuff), I
don't think it would have prevented the attack.
