On Mon, Aug 18, 2025 at 08:19:49PM +0200, Alexandre Detiste wrote: > Worst case scenario is when the guy submitting the 3 PR is the XZ hacker. > > That _did_ happened: > https://salsa.debian.org/games-team/empire/-/merge_requests/1 > https://salsa.debian.org/games-team/empire/-/merge_requests/2 > https://news.ycombinator.com/item?id=39868390 > > So MR for pristine-tar & upstream branch are too big to review and > can never be trusted if they are from newcomers. so far I can follow... > Having a magic button somewhere in the tracker or Salsa > that basically ask "do the gbp-import" for me would be awesome. and here I cannot follow anymore, because the MR for pristine-tar & upstream branch is still too big to review and why would you trust a gigantic web application running on a server which is a huge target? -- cheers, Holger ⢀⣴⠾⠻⢶⣦⠀ ⣾⠁⢠⠒⠀⣿⡁ holger@(debian|reproducible-builds|layer-acht).org ⢿⡄⠘⠷⠚⠋⠀ OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C ⠈⠳⣄ Segregation was legal. Slavery was legal. Don't use legality as a guide to morality. Outlaw profits from fossil fuel.
Attachment:
signature.asc
Description: PGP signature