tl;dr:
There is a Debian git transition plan. It’s going OK so far but we need help, especially with outreach and updating Debian’s documentation.
Is this because of the xz utils thing? The backdoor was included into the tarball, but it wasn’t in the git repo.
By switching away from tarballs they pribably hope to prevent that, although this article doesn’t mention that. It’s possible this shift has been happening since before the xz utils.
Not really. If xz were the issue, Debian would have just switched to a different tarball format like lz4.
This is more about Debian packaging conventions being very archaic and requiring a lot of futzing with upstream tarballs and patches.
The backdoor of the xz utils program(s) was in the tarball release, but not the main source code:
https://en.wikipedia.org/wiki/XZ_Utils_backdoor
If debian had dodged the upstream tarball, then they wouldn’t have been affected by this.
Gives 403 forbidden
