trusting PyPI to store the official release tarballs...
trusting PyPi store without PGP signature is really bad idea.
I've also kept the full upstream history in the upstream branch,
assuming this to be more robust and powerful. For example, this allows
to directly cherry-pick commits into the patch queue.
you can cherry-pick commits into pq even without full upstream history in salsa git, using second remote.
Since both these practices are discouraged by the policy, I'm ready to
give them up, but before I spend time working on it, I would like to ask
I prefer to have git layout according to DPMT policy. There are reasons for it.