tl;dr:
There is a Debian git transition plan. It’s going OK so far but we need help, especially with outreach and updating Debian’s documentation.
tl;dr:
There is a Debian git transition plan. It’s going OK so far but we need help, especially with outreach and updating Debian’s documentation.
The backdoor of the xz utils program(s) was in the tarball release, but not the main source code:
https://en.wikipedia.org/wiki/XZ_Utils_backdoor
If debian had dodged the upstream tarball, then they wouldn’t have been affected by this.
I mean, that’s true, but that doesn’t mean that’s why Debian’s doing it.
If they were solving just that, then they would have just pushed for something like a reproducible tarball where you can point to a commit, branch, tag, etcetera from which that tarball can be reproduced and not bother migrating their package format.
Debian has a serious ease-of-packaging issue that I’ve witnessed first-hand, and I think they’ve made it clear that it’s moreso the ease factor they’re focused on that the security factor.