Re: Validating tarballs against git repositories

[Adrian Bunk <bunk@debian.org>]

On Sat, Mar 30, 2024 at 11:55:04AM +0000, Luca Boccassi wrote:
>...
> In the end, massaged tarballs were needed to avoid rerunning
> autoconfery on twelve thousands different proprietary and
> non-proprietary Unix variants, back in the day. In 2024, we do
> dh_autoreconf by default so it's all moot anyway.
>...

The first step of the xz exploit was in a vendored gnulib m4 file that
is not (and should not be) in git and that does not get updated by 
dh_autoreconf.

cu
Adrian