|
|
|
|
|
|
by geofft
1753 days ago
|
|
|
I would not expect that - every distro maintainer is reviewing every upstream change - every distro maintainer is qualified to review every upstream change if the threat model is malicious / underhanded code (either a malicious upstream, or a malicious contributor that managed to convince upstream to take a patch) and not just well-commented bad ideas Especially if they're not updating packages on a regular basis, there are plenty of major free software projects that just frankly have a lot of code, and I have also definitely seen (though perhaps more in the olden days) distro maintainers say that they didn't know the language of the code that they were packaging, that upstream's job was writing code and their job was writing packaging. (And, honestly, because upstreams can choose to change languages, this isn't a particularly unreasonable situation to be in.) And for distros like Debian, packagers are volunteers, and there is no real ability to enforce that people are doing the work in any specific way beyond looking at their diffs. The Debian new maintainer's guide suggests that you diff the old and new versions for "anything suspicious," but has no particular recommendations on how to do so and also tells you to ignore various generated files: https://www.debian.org/doc/manuals/maint-guide/update.en.htm... |
|
|