On 2024-04-04 21:39:51 +0200 (+0200), kpcyrd wrote: [...] > I don't know if Debian has this kind of provenance information available, to > my knowledge, Debian operates on "our maintainers upload .tar.xz files into > our archive and we take them for face value". Which does make sense, > considering not every software project uses git, some may develop their own > VCS, some software projects do not have any VCS at all and it's just one > person applying patches to a folder on their local computer and uploading > .tar snapshots to a webserver every other month. [...]
Looking at this with my upstream hat on, there is more information in a Git repository than is represented in a flat export of its worktree. Some projects consider the Git metadata context to be part of the source code, and run source build processes in order to bake that additional information into our source archives. -- Jeremy Stanley
signature.asc
Description: PGP signature
