Maytham Alsudany <maytha8thedev@gmail.com> writes: > https://salsa.debian.org/go-team/packages/golang-github-go-git-go-git-fixtures I looked at this update, and one of the proposed changes is to include all of the pre-generated stuff from here: https://github.com/go-git/go-git-fixtures/tree/master/data directly into the installed Debian package. Given the recent xz fiasco, I have doubts that this is a good idea -- there is a bunch of pre-generated compressed git repositories in that directory, and I don't see any way to re-create them from scratch. They seem to have been manually curated by some developer in the past and then compressed and uploaded, somewhat similar to how the xz problem happened. Dropping these files may mean we don't test as much of go-git that is possible to test, but the alternative that we create a vector to inject binaries with no source code into Debian seems worse. Could you modify this package to drop any files that we cannot re-create during the build? Maybe the entire package becomes useless, if so, then we should just remove it IMHO. Of course, I only did a cursory review, so I may have misunderstood how this project works and the relevance of these files. /Simon
Attachment:
signature.asc
Description: PGP signature