[email protected] wrote: >As I understand it, Debian was affected by the xz-utils hack, in part, because >some artifacts were inserted into an upstream tarball that were not >represented in the upstream git. Please explain how use of tag2upload is >relevant to this scenario? I'm afraid I don't follow. I think that it was assumed, and I agree, that a well-maintained Debian git source tree has the upstream branch pulled from the upstream git repository, keeping the complete history, and not created locally by importing upstream tar release archives.
-- ciao, Marco
