Should we stop distributing source tarballs?

Albert Vaca Cintora albertvaka at
Wed Apr 3 17:34:04 BST 2024

Hi KDE folks,

The recent xz backdoor scandal made me realize how bad and obsolete
distributing tarballs is. The source of truth for our code are the
repositories, and releases can simply be tags on those repos.

As a big free software community, I think we should lead by example
and get rid of tarballs altogether (as I hope to see in other projects
as well) after the recent events.

Packagers can git pull.

If we ever replace git with something else, that something else will
have tags as well.

What's the advantage of providing tarballs?


More information about the kde-devel mailing list