Linux

10731 readers

742 users here now

A community for everything relating to the GNU/Linux operating system (except the memes!)

Also, check out:

Original icon base courtesy of lewing@isc.tamu.edu and The GIMP

founded 2 years ago

MODERATORS

Ategon@programming.dev

anzo@programming.dev

dwraf_of_ignorance@programming.dev

Debian’s git transition plan (diziet.dreamwidth.org)

submitted 1 day ago by cm0002@infosec.pub to c/linux@programming.dev

5 comments fedilink hide all child comments

tl;dr:

There is a Debian git transition plan. It’s going OK so far but we need help, especially with outreach and updating Debian’s documentation.

you are viewing a single comment's thread
view the rest of the comments

[–] data1701d@startrek.website 5 points 1 day ago (1 children)

Not really. If xz were the issue, Debian would have just switched to a different tarball format like lz4.

This is more about Debian packaging conventions being very archaic and requiring a lot of futzing with upstream tarballs and patches.

[–] moonpiedumplings@programming.dev 7 points 1 day ago (1 children)

The backdoor of the xz utils program(s) was in the tarball release, but not the main source code:

https://en.wikipedia.org/wiki/XZ_Utils_backdoor

If debian had dodged the upstream tarball, then they wouldn't have been affected by this.

[–] data1701d@startrek.website 2 points 1 day ago

I mean, that's true, but that doesn't mean that's why Debian's doing it.

If they were solving just that, then they would have just pushed for something like a reproducible tarball where you can point to a commit, branch, tag, etcetera from which that tarball can be reproduced and not bother migrating their package format.

Debian has a serious ease-of-packaging issue that I've witnessed first-hand, and I think they've made it clear that it's moreso the ease factor they're focused on that the security factor.