Hi, Am Dienstag, den 16.06.2015, 20:39 -0700 schrieb Iustin Pop: > In general, I believe that storing upstream code in git is better for reasons > beyond packaging ease (e.g. authoritative deltas between upstream > orig.tar.gz as they were uploaded in Debian, reproduction of arbitrary > past versions, etc.), but I kind of agree that for mass packaging it's > better to not do that. > > That said, I'd prefer if at least the repository records a checksum of > the upstream archive, since I feel this "checkout git signed tags but > use unsigned upstream archive from hackage" is not safe enough. Anyway, > another discussion. yes, this is a drawback of that approach, as also noted by Thomas Koch. For tarballs that are already in the archive, the problem is not so big (the authoritative file is there, and one cannot accidentally upload another), but that does not help until the first version is uploaded. hackage-security will eventually help here, but that does not exist yet. Greetings, Joachim -- Joachim "nomeata" Breitner Debian Developer nomeata@debian.org | ICQ# 74513189 | GPG-Keyid: F0FBF51F JID: nomeata@joachim-breitner.de | http://people.debian.org/~nomeata
Attachment:
signature.asc
Description: This is a digitally signed message part