... darkrealms ...

Forums before death by AOL, social media and spammers... "We can't have nice things"

linux.debian.bugs.dist

Ohh some weird Debian bug report thing

28,835 messages

[ << oldest | < older | list | newer > | newest >> ]

Message 27,266 of 28,835

Simon Josefsson to Jochen Sprickerhof

Bug#1127616: developers-reference: shoul

11 Feb 26 21:00:01

   XPost: linux.debian.devel, linux.debian.policy   
   From: simon@josefsson.org   
      
   Jochen Sprickerhof  writes:   
      
   > Python Team:   
   >   
   > "DPT requires a pristine-tar branch"   
   >   
   > https://salsa.debian.org/python-team/tools/python-modules/blob   
   master/policy.rst   
      
   The Python Team's Policy insistance on use of pristine-tar and throwing   
   away upstream git history is [1]:   
      
      DPT requires a pristine-tar branch, and only upstream tarballs can be   
      used to advance the upstream branch. Complete upstream Git history   
      should be avoided in the upstream branch.   
      
   The pypi.debian.net man-in-the-middle upstream tarball redirector is the   
   recommended (?) debian/watch URL to use for Python packages [2].   
      
   I find this combination really odd.  It is a great setup to enable   
   xz-style attacks: (several) trusted indirections and lack of audit-chain   
   between the source code consumed by Debian and the source code from the   
   upstream maintainer git repository.   
      
   Debian is using Python sources from pypi.debian.net, which may or may   
   not be the actual pypi.org tarball, which may or may not be the source   
   code coming from each upstream's actual source repository.   
      
   /Simon   
      
   [1] https://salsa.debian.org/python-team/tools/python-modules/bl   
   b/master/policy.rst   
   [2] https://wiki.debian.org/Python/LibraryStyleGuide   
      
   -----BEGIN PGP SIGNATURE-----   
      
   iQNoBAEWCgMQFiEEo8ychwudMQq61M8vUXIrCP5HRaIFAmmM3eQUHHNpbW9uQGpv   
   c2Vmc3Nvbi5vcmfCHCYAmDMEXJLOtBYJKwYBBAHaRw8BAQdACIcrZIvhrxDBkK9f   
   V+QlTmXxo2naObDuGtw58YaxlOu0JVNpbW9uIEpvc2Vmc3NvbiA8c2ltb25Aam9z   
   ZWZzc29uLm9yZz6IlgQTFggAPgIbAwULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgBYh   
   BLHSvRN1vst4TPT4xNc89jjFPAa+BQJn0XQkBQkNZGbwAAoJENc89jjFPAa+BtIA   
   /iR73CfBurG9y8pASh3cbGOMHpDZfMAtosu6jbpO69GHAP4p7l57d+iVty2VQMsx   
   +3TCSAvZkpr4P/FuTzZ8JZe8BrgzBFySz4EWCSsGAQQB2kcPAQEHQOxTCIOaeXAx   
   I2hIX4HK9bQTpNVei708oNr1Klm8qCGKiPUEGBYIACYCGwIWIQSx0r0Tdb7LeEz0   
   +MTXPPY4xTwGvgUCZ9F0SgUJDWRmSQCBdiAEGRYIAB0WIQSjzJyHC50xCrrUzy9R   
   cisI/kdFogUCXJLPgQAKCRBRcisI/kdFoqdMAQCgH45aseZgIrwKOvUOA9QfsmeE   
   8GZHYNuFHmM9FEQS6AD6A4x5aYvoY6lo98pgtw2HPDhmcCXFItjXCrV4A0GmJA4J   
   ENc89jjFPAa+wUUBAO64fbZek6FPlRK0DrlWsrjCXuLi6PUxyzCAY6lG2nhUAQC6   
   qobB9mkZlZ0qihy1x4JRtflqFcqqT9n7iUZkCDIiDbg4BFySz2oSCisGAQQBl1UB   
   BQEBB0AxlRumDW6nZY7A+VCfek9VpEx6PJmdJyYPt3lNHMd6HAMBCAeIfgQYFggA   
   JgIbDBYhBLHSvRN1vst4TPT4xNc89jjFPAa+BQJn0XTSBQkNZGboAAoJENc89jjF   
   PAa+0M0BAPPRq73kLnHYNDMniVBOzUdi2XeF32idjEWWfjvyIJUOAP4wZ+ALxIeh   
   is3Uw2BzGZE6ttXQ2Q+DeCJO3TPpIqaXDAAKCRBRcisI/kdFop3fAQCaMhiJnjfH   
   Epv1uhbW7KfKCnDkgKKwJYLDPKgD3Zm1RQD/YSRJPY2i3FCfzntC87BdMeIzsOO4   
   EmUYi7QcZwr5DAA=   
   =88oN   
   -----END PGP SIGNATURE-----   
      
   --- SoupGate-Win32 v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)

[ << oldest | < older | list | newer > | newest >> ]