On Tuesday, 10 January 2012 22:23:25 P. Christeas wrote: > On Tuesday 10 January 2012, Buchan Milne wrote: > > I think we should be in the position to be able to verify the origin of > > any software we provide to users. > > ... > > Just a reminder: a git-based build process would implicitly cover that > aspect, since the comit SHAs would be traceable back to the code > maintainers.
As far as I understand, it wouldn't necessarily provide a guarantee that the upstream git was compromised before it was cloned by the package maintainer. Regards, Buchan
