Should we stop distributing source tarballs?

Dennis Knorr dennis.knorr at
Sun Apr 7 09:56:40 BST 2024

Hi from the peanut gallery,
The xz tarball was only a (minor) part of the problem. A big part of the
backdoor was entirely in git and would be probably also usable if
something else would have been added.

Also, this tight coupling to git makes me uneasy. I like git and it's
one of the best things on earth, but architecturally speaking i do not
think that this tight coupling is really good. Git helps with release
management and that's good, still only relying on git is not something i
would like very much.

The advantage of tarballs are imho:

* making it easier to transition to another repository software if
* making it easier to use for tarball-centric software distributions
* making it easier to use if you want to migrate the repository service
* separates development and development/debugging releases from release

To be honest, i can imagine that at some point, there is enough distro
agnostic tooling that we do not need release/src tarballs any more, but
IMHO that point of time is not there yet.

Just my two cents,

Am 03.04.24 um 18:34 schrieb Albert Vaca Cintora:
> Hi KDE folks,
> The recent xz backdoor scandal made me realize how bad and obsolete
> distributing tarballs is. The source of truth for our code are the
> repositories, and releases can simply be tags on those repos.
> As a big free software community, I think we should lead by example
> and get rid of tarballs altogether (as I hope to see in other projects
> as well) after the recent events.
> Packagers can git pull.
> If we ever replace git with something else, that something else will
> have tags as well.
> What's the advantage of providing tarballs?
> Albert

More information about the kde-devel mailing list