Andreas Tille <andr...@an3as.eu> writes: > I think Steffen's point was that all the hideousness you are talking > about was solved in version a.b.c of the software and if version > a.b.(c+1) builds and passes our test suite it will most probably not > have changed.
Oh, yeah, to be clear, I don't have any objections to that part. Just to the idea that upstream in general can just maintain the Debian packaging, or that we want to move in that direction. A good Debian package maintainer should still keep an eye on it and update the packaging for Debian best practices. But that can be on an independent cadence from the upstream releases. We do lose some manual review, but I also question how much we're doing manual review now. I would only want to do this with packages that have upstream signatures, though. We get some amount of timing-based security from Debian maintainers downloading the packages whenever they get around to it, since it's then not predictable when the upstream package will be downloaded and only persistent compromises of upstream's distribution mechanism are likely to be effective. If we're automatically pulling new releases, that can be more predictable and can open us up to ingesting and building transient compromised packages. -- Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/>
