salsa.debian.org (git.debian.org replacement) going into beta

Paul Sherwood paul.sherwood at codethink.co.uk
Fri Dec 29 13:12:01 UTC 2017 

On 2017-12-28 14:01, Nicolas Vigier wrote:
>> I see value in establishing that the history of a repo is what it 
>> claims to
>> be; widespread access to the source of GitLab gives me some 
>> (misplaced?)
>> comfort, but I may be wrong.
> 
> Widespread access to the source of GitLab is nice so that anybody can
> use it on their own server and help improve it. But there is no proof
> that the same code is being used on gitlab.com,

Actually I don't know if that's true or not.

GitLab **seems** to work in a transparent way following common open 
source practices, and appears to dogfood its own releases at gitlab.com.

I'll ask if they can provide reliable evidence to show that gitlab.com 
is running (only) the software that they are developing via their public 
practices.

> and admins of the
> gitlab.com servers would still be able to modify the repositories 
> hosted
> on those servers if they wanted.

This is true of all services, afaik.

In fact, gitlab (including the foss gitlab CE) provide functionality for 
admin users to impersonate others, which is a problem in itself I think.

I'll mention in passing that the gitano project [1] attempts to mitigate 
against admins doing naughty things by forcing all config changes to be 
administered via git commits, with the aim of providing evidence of who 
did what when. But most git servers are not that strict.

> I still think it is unlikely that they
> do anything bad with the repositories they are hosting, but it just 
> seems
> wrong to imply that because they publish some source code their servers
> can be trusted more.

I agree, the two things are not connected unless there is evidence to 
connect them, e.g. proof that gitlab.com runs the source that is 
published.

> But maybe I misunderstood your email and that's
> not what you were saying.

Well, I was saying that in any case I prefer to keep independent mirrors 
just in case :)

But given that I can self-host GitLab, based on sources that I can 
check, I do have more (different) evidence when assessing whether to 
trust GitLab as an organisation vs Github as an organisation. That's not 
to say either is better or more trustworthy than the other - everyone 
has to reach their own conclusions about who/what to trust.

In any case, I hope that the need to mitigate against some of the risks 
we have discussed here does go some way towards answering Holger's 
original question?

br
Paul

[1] https://www.gitano.org.uk

More information about the Reproducible-builds mailing list