Re: using salsa as a package triage system? "channels"?

To: debian-devel@lists.debian.org
Subject: Re: using salsa as a package triage system? "channels"?
From: Simon McVittie <smcv@debian.org>
Date: Sun, 15 Mar 2020 17:16:33 +0000
Message-id: <[🔎] 20200315171633.GA200720@espresso.pseudorandom.co.uk>
In-reply-to: <[🔎] 7c279a4d-9f22-13f7-d467-b246a90cd091@gmx.de>
References: <[🔎] 7c279a4d-9f22-13f7-d467-b246a90cd091@gmx.de>

On Sun, 15 Mar 2020 at 16:22:47 +0100, Steffen Möller wrote:
> To increase security especially when embracing new contributors without
> sponsors, I am tempted to say that we should not keep the sources in the
> git repository but analogously also to OpenWrt only maintain the debian
> folder.

Sorry, I'm not seeing how this increases security?

The Debian packaging for a package is completely trusted: any attack that
can be performed by an attacker with access to the upstream source code
can be done by an attacker with access to only the Debian packaging,
and there are additional attacks that can (in general) only be done by
attackers with access to the Debian packaging.

    smcv

Reply to:

References:
- using salsa as a package triage system? "channels"?
  - From: Steffen Möller <steffen_moeller@gmx.de>

Prev by Date: Re: using salsa as a package triage system? "channels"?
Next by Date: Re: FTP Team -- call for volunteers
Previous by thread: Re: using salsa as a package triage system? "channels"?
Next by thread: Bug#954028: ITP: node-babel7 -- compiler for next generation JavaScript
Index(es):
- Date
- Thread