Jochen Sprickerhof <[email protected]> writes: > Python Team: > > "DPT requires a pristine-tar branch" > > https://salsa.debian.org/python-team/tools/python-modules/blob/master/policy.rst
The Python Team's Policy insistance on use of pristine-tar and throwing away upstream git history is [1]: DPT requires a pristine-tar branch, and only upstream tarballs can be used to advance the upstream branch. Complete upstream Git history should be avoided in the upstream branch. The pypi.debian.net man-in-the-middle upstream tarball redirector is the recommended (?) debian/watch URL to use for Python packages [2]. I find this combination really odd. It is a great setup to enable xz-style attacks: (several) trusted indirections and lack of audit-chain between the source code consumed by Debian and the source code from the upstream maintainer git repository. Debian is using Python sources from pypi.debian.net, which may or may not be the actual pypi.org tarball, which may or may not be the source code coming from each upstream's actual source repository. /Simon [1] https://salsa.debian.org/python-team/tools/python-modules/blob/master/policy.rst [2] https://wiki.debian.org/Python/LibraryStyleGuide
signature.asc
Description: PGP signature
