salsa.debian.org (git.debian.org replacement) going into beta
Paul Sherwood
paul.sherwood at codethink.co.uk
Wed Dec 27 12:07:32 UTC 2017
On 2017-12-25 22:25, Holger Levsen wrote:
> Hi reproducible Debian folks,
>
> I guess you have seen
> https://lists.debian.org/debian-devel-announce/2017/12/msg00003.html
> which lead to this on -devel:
>
> On Mon, Dec 25, 2017 at 06:59:21PM +0100, Alexander Wirt wrote:
>> On Mon, 25 Dec 2017, Holger Levsen wrote:
>> > On Mon, Dec 25, 2017 at 11:45:37AM +0100, Alexander Wirt wrote:
>> > > External users are invited to create an account on salsa.
>> > do you plan importing the current -guest accounts from alioth?
>> No.
>
> For us this could mean that we'll need to ask a bunch of non-Debian
> people to
> recreate accounts on salsa.d.o, at which point I expect a lot of "why
> don't we
> use github" questions, to which I'm not sure I have a good answer...
At risk of stirring up some of the debate that Chris mentions, I have an
answer, based on some experience:
- Github is proprietary, so we can not properly assess what is being
done to/with the repos, or who is doing it.
- to make promises about the integrity of content at Github, we would be
wise to maintain independent external mirrors of what we care about, and
react to any attempt to re-write blessed branch histories in upstreams
that we believe or need to be well-behaved.
GitLab, being opencore, appears to avoid the proprietary problem and
provides some excellent workflow tools. Even with GitLab I would still
recommend keeping independent mirrors of all sources and watching for
signs of tampering. We've been doing this for some time with the
git.baserock.org repositories, for example.
br
Paul
More information about the Reproducible-builds
mailing list