Hi,
On 2024-04-11 14:43, Andreas Enge wrote:
Hello,
Am Wed, Apr 10, 2024 at 03:57:20PM +0200 schrieb Ludovic Courtès:
I think we should gradually move to building everything from
source—i.e., fetching code from VCS and adding Autoconf & co. as inputs.
the big drawback of this approach is that we would lose maintainers'
signatures, right?
Would the suggestion to use signed tarballs, but to autoreconf the
generated files, not be a better compromise between trusting and
distrusting upstream maintainers?
Andreas
Probably not, because the release tarballs might code that is not
present in the Git history and there are not that many eyes checking
them. This time it was autoconf, but it might be anything else.
The maintainers' machines can be hijacked too... I think it's just
better to obtain the exact same code that is easy to find and everybody
is reading.
