One thing that is been left unclear is what does it mean to "use salsa"? For example, the e2fsprogs git repository is hosted at multiple locations:
* https://git.kernel.org/pub/scm/fs/ext2/e2fsprogs.git * https://github.com/tytso/e2fsprogs.git * https://git.code.sf.net/p/e2fsprogs/code * https://repo.or.cz/e2fsprogs.git I push changes to all of them when do updates from my development system, and they all have my debian packaging branches. Which one is the "master" repo? There's really no such thing. I suppose we could call git.kernel.org the "master" because it was the first but technically, the bitkeeper repository predates them all. :-) So I could create a Salsa repo for e2fsprogs and add it to the list; but what does that actually mean? What does it mean to have a Vcs-Git line pointing at git.kernel.org versus salsa.debian.org? It surely doesn't mean anything about access rights, whether it's "any random Debian person can check in arbitrary things to the repo --- there are some packages that are in groups that have very tight access controls, and that's probably a good thing. I'm much more comfortable knowing that stealing some random Debian maintainer's git credentials is not enough to install trojan horses into the openssh package! And suppose I did create a Salsa repo for e2fsprogs, which could be changed by anyone in the debian group. And suppose someone adds something to the git repo which is totally wrong, and which bypassed any kind of code review. No problem! I'd just do a force push and the commit in Salsa would Go Away. Or is that sort of thing frowned upon with having a git repository on Salsa? As a result, I'd argue that when we talk about "forcing" people to use Salsa, it's actually kind of underspecified what might be meant by that. If a developer has their git repository on github, or git.kernel.org, or on their own private server, what value does it add to have another copy on Salsa? As far as I'm concerned, it neither adds much value, nor does it cost much. It's when you start saying that it must be the *canonical* repository, and it doesn't matter what random DD's push to it; once they've pushed to it, it must be preserved ***forever*** without any forced pushes or rewinds, that it starts to make more of a difference. Cheers, - Ted
