* Marco d'Itri: " Re: [RFC] General Resolution to deploy tag2upload" (Wed, 12 Jun 2024 14:37:25 -0000 (UTC)):
> [email protected] wrote: > > >As I understand it, Debian was affected by the xz-utils hack, in part, > >because some artifacts were inserted into an upstream tarball that were not > >represented in the upstream git. Please explain how use of tag2upload is > >relevant to this scenario? I'm afraid I don't follow. > I think that it was assumed, and I agree, that a well-maintained Debian > git source tree has the upstream branch pulled from the upstream git > repository, keeping the complete history, and not created locally by > importing upstream tar release archives. Just as a note often forgotten in this discussion: There are upstreams, that don't use git and are even heavily opposed to git. Hopefully I have nevertheless "well-maintained Debian git source trees" for the Tryton suite... ;) -- Mathias Behrle PGP/GnuPG key availabable from any keyserver, ID: 0xD6D09BE48405BBF6 AC29 7E5C 46B9 D0B6 1C71 7681 D6D0 9BE4 8405 BBF6
