Re: New supply-chain security tool: backseat-signed

To: Sean Whitton <spwhitton@spwhitton.name>
Cc: kpcyrd <kpcyrd@archlinux.org>, General discussions about reproducible builds <rb-general@lists.reproducible-builds.org>, debian-devel@lists.debian.org
Subject: Re: New supply-chain security tool: backseat-signed
From: Adrian Bunk <bunk@debian.org>
Date: Sat, 6 Apr 2024 14:42:33 +0300
Message-id: <ZhE1KQN6RdG1t/1c@localhost>
In-reply-to: <[🔎] 87bk6mn3ql.fsf@melete.silentflame.com>
References: <[🔎] 90adb17f-ff3a-43fd-a9e4-bd3e76ee1d3c@archlinux.org> <[🔎] Zgy9NN39zPD9siqb@localhost> <[🔎] e339c510-b4ea-43ed-b25f-2429df8684b8@archlinux.org> <[🔎] Zg8qPX2cg4EvQ7dI@localhost> <[🔎] 87bk6mn3ql.fsf@melete.silentflame.com>

On Sat, Apr 06, 2024 at 07:13:22PM +0800, Sean Whitton wrote:
> Hello,
> 
> On Fri 05 Apr 2024 at 01:31am +03, Adrian Bunk wrote:
> 
> >
> > Right now the preferred form of source in Debian is an upstream-signed
> > release tarball, NOT anything from git.
> 
> The preferred form of modification is not simply up for proclamation.
> Our practices, which are focused around git, make it the case that
> salsa & dgit in some combination are the preferred form for modification
> for most packages.

You cannot simply proclaim that some git tree is the preferred form of 
modification without shipping said git tree in our ftp archive.

If your claim was true, then Debian and downstreams would be violating 
licences like the GPL by not providing the preferred form of modification
in the archive.

> Sean Whitton

cu
Adrian

Reply to:

Follow-Ups:
- Re: New supply-chain security tool: backseat-signed
  - From: kpcyrd <kpcyrd@archlinux.org>
- Re: New supply-chain security tool: backseat-signed
  - From: Sean Whitton <spwhitton@spwhitton.name>

References:
- New supply-chain security tool: backseat-signed
  - From: kpcyrd <kpcyrd@archlinux.org>
- Re: New supply-chain security tool: backseat-signed
  - From: Adrian Bunk <bunk@debian.org>
- Re: New supply-chain security tool: backseat-signed
  - From: kpcyrd <kpcyrd@archlinux.org>
- Re: New supply-chain security tool: backseat-signed
  - From: Adrian Bunk <bunk@debian.org>
- Re: New supply-chain security tool: backseat-signed
  - From: Sean Whitton <spwhitton@spwhitton.name>

Prev by Date: Re: Upstream dist tarball transparency (was Re: Validating tarballs against git repositories)
Next by Date: Re: New supply-chain security tool: backseat-signed
Previous by thread: Re: New supply-chain security tool: backseat-signed
Next by thread: Re: New supply-chain security tool: backseat-signed
Index(es):
- Date
- Thread