[Openstack-devel] Moving all git repositories to git.gplhost.com

Lucas Nussbaum leader at debian.org
Wed Nov 20 21:57:07 UTC 2013 

Hi Thomas,

On 20/11/13 at 17:32 +0800, Thomas Goirand wrote:
> Hi,
> 
> For many reasons, I don't believe that Alioth is a good place to host
> the packages for OpenStack. Some of the reasons:
> 
> - Alioth has been dead for 10+ days, with almost zero communication from
> its admins. It is *still* dead as we speak, even though I could get my
> files back. I don't want to wait even a single hour, so I moved
> everything already...
> 
> - Alioth has a fail2ban script which is constantly annoying me when
> doing mass-fixes. Asking for a change of this always resulted in a
> stupid reply such as that my configuration is wrong (which isn't truth).
> 
> - Downloading (eg: git clone) from Alioth is painfully slow. Hosting the
> git for OpenStack packages on the same data center as the Jenkins
> servers speed up the build process.
> 
> - I don't really trust the security model of Alioth, and I prefer to
> handle things differently.
> 
> - I want to be able to provide shell accounts that *I* manage, and
> provide user repositories over ssh whenever asked.
> 
> - I prefer to have the root on the server, as it has been painful to
> manage unix rights, with un-cooperative Alioth admins especially with
> unresponsive team members (asking for a single chmod was too much to
> ask...).
> 
> - Recent event shows that there was no useful backups on Alioth, which
> is very scary (or at least, no backup which I could access, which is
> exactly the same).
> 
> - I don't want to suffer for more than 48 hours of down time, blocking
> my work of packaging.
> 
> - Alioth admins aren't receptive to any kind of suggestion, like using a
> distributed storage (like Ceph) and the cloud, which would be the
> obvious thing to do here (since Alioth is struggling with the load). I
> don't want to continue using a server which has a huge load and is not
> responsive enough.
> 
> - Hosting everything on the same server, I mean the KGB bot and the git
> repository, allows me to do more security (nobody with access to Alioth
> will be able to read the KGB bot passwords), and to generate the KGB bot
> config on the same host, whenever there's a new Git repository, which is
> both safer and faster. It took me a few minutes to do it, and I'm happy
> with the result.
> 
> It is also my view that never, we should have leave Alioth administered
> by anyone else but the DSA. Recent event proves it, and that's not the
> only time where we had huge down time.
> 
> So, you will find all package repositories available with anonymous
> checkout (eg: git clone) at:
> http://git.gplhost.com/openstack/<package>.git
> 
> You can of course browse here:
> http://git.gplhost.com/openstack/
> 
> There's also a gitweb at:
> http://git.gplhost.com/gitweb/
> 
> I'm in the process of fixing all VCS fields for all packages, though of
> course, fixes will only happen at the next upload of all packages.
> 
> If anyone needs a shell account to host a public Git repository, just
> let me know, and I'll add a shell account for you. Though I think it's
> not really needed. Anyone with a server, ssh access and web access, can
> setup a public Git repository. If you don't know how, I've explained
> that here:
> 
> http://dtcsupport.gplhost.com/Git/Public-Repo-Howto
> 
> If you don't have such infrastructure at your disposal, you can always
> use something like Github (though I'm not a fan of it because of its
> non-free nature).
> 
> Then I think the best way forward will be to ask for a pull request on
> IRC: just give me your public repository URL, and then I'll just pull
> from it. Easy enough...
> 
> I hope this solution will satisfy everyone,

No, it doesn't. Please don't.

As a project, I think that it is important that we maintain packages in
a consistant way across the whole distribution. That involves using
standard tools and infrastructure, unless you have a very good reason to
do so.

Throwing suggestions, "views" and FUD at Alioth admins and DSA during a
crisis, and then complaining that you are not being heard, is totally
useless and counterproductive.  Alioth is a key part of Debian's
infrastructure, and I agree that we should address the underlying
problems so that the same chain of events doesn't ever happen again.

But your should be supportive and cooperative, not throw shit at some
Debian contributors and force other to go throw loops to contribute to
the Openstack packages (which are not *your* packages, btw).

Also, I would like to use this opportunity to ask you to clarify your
situation regarding the OpenStack packages. I've heard that you were
paid to work on the OpenStack Debian packages.
- Could you clarify how that affects your work on those packages?
- How do you protect Debian from being manipulated, through you, by
  the company that pays you?
- Given the context, did you consider defining a more formal
  decision-making process together with the other co-maintainers, for
  important packaging decisions?

Lucas
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 828 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/openstack-devel/attachments/20131120/bb07669e/attachment.sig>

More information about the Openstack-devel mailing list