On Fri, Jul 07, 2017 at 09:20:07PM +0800, Alex Vong wrote: > Ahhh, I blindly used the links from debian security tracker. Should have > been more careful. I wonder why they use links from an unofficial mirror. I noticed they were doing that, and I don't understand why. It *is* convenient to have a relatively stable changeset ID in the form of Git commit hashes. I asked about it on oss-security and the repo was confirmed to be unofficial: http://seclists.org/oss-sec/2017/q1/15 It has been acknowledged by the libtiff maintainer: http://maptools-org.996276.n3.nabble.com/git-version-control-td13746.html