salsa.debian.org (git.debian.org replacement) going into beta
Paul Sherwood
paul.sherwood at codethink.co.uk
Thu Dec 28 11:15:24 UTC 2017
On 2017-12-27 17:38, Nicolas Vigier wrote:
> On Wed, 27 Dec 2017, Paul Sherwood wrote:
>> - Github is proprietary, so we can not properly assess what is being
>> done
>> to/with the repos, or who is doing it.
>
> While there might be other reasons to prefer using services from people
> who also publish free software, I don't think "properly assessing what
> is being done to/with the repos" is one of them.
OK, we seem to disagree on this, then.
I see value in establishing that the history of a repo is what it claims
to be; widespread access to the source of GitLab gives me some
(misplaced?) comfort, but I may be wrong.
> In both cases we we
> don't have access to their servers, so we cannot check that they are
> running exactly the same software they are publishing. So in both cases
> we have to trust them.
True. Hence my suggestion of maintaining uptodate mirrors in something
else, and watching for inconsistencies. Arguably this applies for all
services we don't control, including cloud infrastructure?
br
Paul
More information about the Reproducible-builds
mailing list