Quoting Milan Kupcevic (2024-04-21 01:03:12) > On 4/20/24 15:59, Johannes Schauer Marin Rodrigues wrote: > > Quoting Milan Kupcevic (2024-04-20 21:46:14) > >> On 4/20/24 15:05, Johannes Schauer Marin Rodrigues wrote: [...] > >>> Quoting Milan Kupcevic (2024-04-20 20:50:27) > >>>> This package builds just fine either on or off an island. The "pre-built > >>>> artifacts" is actually the build support provided by the upstream for > >>>> their > >>>> official release package. It is nice to rebuild the build support, but > >>>> is not > >>>> required nor always desired. > >>> > >>> what is your reasoning to not rebuild them and to instead use the > >>> pre-built > >>> artifacts from the release package? > >>> > >>> Would anything break? > >>> > >> > >> Stunt lines injected in the building scripts would be very undesirable. > > > > How about using the upstream git instead of the release tarball as the base > > for > > the packaging? > I would rather stick with the official release tarballs as they get signed > with the upstream developer's key.
I think we just recently had a long discussion in Debian about using the upstream git as source for the packaging instead of the release tarball in the light of how the recent xz-utils attack was performed. Maybe you can convince upstream to sign their git commits and/or tags. If you think there is nothing actionable about this bug, feel free to close it. Thanks! cheers, josch
signature.asc
Description: signature