On 2017-12-25 22:25, Holger Levsen wrote:
Hi reproducible Debian folks,
I guess you have seen
https://lists.debian.org/debian-devel-announce/2017/12/msg00003.html
which lead to this on -devel:
On Mon, Dec 25, 2017 at 06:59:21PM +0100, Alexander Wirt wrote:
On Mon, 25 Dec 2017, Holger Levsen wrote:
> On Mon, Dec 25, 2017 at 11:45:37AM +0100, Alexander Wirt wrote:
> > External users are invited to create an account on salsa.
> do you plan importing the current -guest accounts from alioth?
No.
For us this could mean that we'll need to ask a bunch of non-Debian
people to
recreate accounts on salsa.d.o, at which point I expect a lot of "why
don't we
use github" questions, to which I'm not sure I have a good answer...
At risk of stirring up some of the debate that Chris mentions, I have an
answer, based on some experience:
- Github is proprietary, so we can not properly assess what is being
done to/with the repos, or who is doing it.
- to make promises about the integrity of content at Github, we would be
wise to maintain independent external mirrors of what we care about, and
react to any attempt to re-write blessed branch histories in upstreams
that we believe or need to be well-behaved.
GitLab, being opencore, appears to avoid the proprietary problem and
provides some excellent workflow tools. Even with GitLab I would still
recommend keeping independent mirrors of all sources and watching for
signs of tampering. We've been doing this for some time with the
git.baserock.org repositories, for example.
br
Paul
_______________________________________________
Reproducible-builds mailing list
Reproducible-builds@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/reproducible-builds
