On 2017-12-28 14:01, Nicolas Vigier wrote:
I see value in establishing that the history of a repo is what it
claims to
be; widespread access to the source of GitLab gives me some
(misplaced?)
comfort, but I may be wrong.
Widespread access to the source of GitLab is nice so that anybody can
use it on their own server and help improve it. But there is no proof
that the same code is being used on gitlab.com,
Actually I don't know if that's true or not.
GitLab **seems** to work in a transparent way following common open
source practices, and appears to dogfood its own releases at gitlab.com.
I'll ask if they can provide reliable evidence to show that gitlab.com
is running (only) the software that they are developing via their public
practices.
and admins of the
gitlab.com servers would still be able to modify the repositories
hosted
on those servers if they wanted.
This is true of all services, afaik.
In fact, gitlab (including the foss gitlab CE) provide functionality for
admin users to impersonate others, which is a problem in itself I think.
I'll mention in passing that the gitano project [1] attempts to mitigate
against admins doing naughty things by forcing all config changes to be
administered via git commits, with the aim of providing evidence of who
did what when. But most git servers are not that strict.
I still think it is unlikely that they
do anything bad with the repositories they are hosting, but it just
seems
wrong to imply that because they publish some source code their servers
can be trusted more.
I agree, the two things are not connected unless there is evidence to
connect them, e.g. proof that gitlab.com runs the source that is
published.
But maybe I misunderstood your email and that's
not what you were saying.
Well, I was saying that in any case I prefer to keep independent mirrors
just in case :)
But given that I can self-host GitLab, based on sources that I can
check, I do have more (different) evidence when assessing whether to
trust GitLab as an organisation vs Github as an organisation. That's not
to say either is better or more trustworthy than the other - everyone
has to reach their own conclusions about who/what to trust.
In any case, I hope that the need to mitigate against some of the risks
we have discussed here does go some way towards answering Holger's
original question?
br
Paul
[1] https://www.gitano.org.uk
_______________________________________________
Reproducible-builds mailing list
Reproducible-builds@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/reproducible-builds
