tl;dr:
There is a Debian git transition plan. It’s going OK so far but we need help, especially with outreach and updating Debian’s documentation.
Is this because of the xz utils thing? The backdoor was included into the tarball, but it wasn’t in the git repo.
By switching away from tarballs they pribably hope to prevent that, although this article doesn’t mention that. It’s possible this shift has been happening since before the xz utils.
Not really. If xz were the issue, Debian would have just switched to a different tarball format like lz4.
This is more about Debian packaging conventions being very archaic and requiring a lot of futzing with upstream tarballs and patches.
The backdoor of the xz utils program(s) was in the tarball release, but not the main source code:
https://en.wikipedia.org/wiki/XZ_Utils_backdoor
If debian had dodged the upstream tarball, then they wouldn’t have been affected by this.
I mean, that’s true, but that doesn’t mean that’s why Debian’s doing it.
If they were solving just that, then they would have just pushed for something like a reproducible tarball where you can point to a commit, branch, tag, etcetera from which that tarball can be reproduced and not bother migrating their package format.
Debian has a serious ease-of-packaging issue that I’ve witnessed first-hand, and I think they’ve made it clear that it’s moreso the ease factor they’re focused on that the security factor.
Gives 403 forbidden
