[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: using salsa as a package triage system? "channels"?

On Sun, 15 Mar 2020 at 16:22:47 +0100, Steffen Möller wrote:
> To increase security especially when embracing new contributors without
> sponsors, I am tempted to say that we should not keep the sources in the
> git repository but analogously also to OpenWrt only maintain the debian
> folder.

Sorry, I'm not seeing how this increases security?

The Debian packaging for a package is completely trusted: any attack that
can be performed by an attacker with access to the upstream source code
can be done by an attacker with access to only the Debian packaging,
and there are additional attacks that can (in general) only be done by
attackers with access to the Debian packaging.


Reply to: