On Tue, Jan 07, 2025 at 09:24:54PM +0100, Julien Plissonneau Duquène wrote: > Le 2025-01-07 20:03, Andreas Tille a écrit : > > While I'd love to see all packages on Salsa > > I think that being able to host the primary git repository of packages > elsewhere is a freedom worth maintaining for many reasons. > > What the Debian Project could (and probably should) do in these cases is to > host a read-only mirror of the repository with most features disabled by > default (no issues, no merge requests, no CI unless the maintainers switch > them on), just keeping the possibility to fork the repository. This would > mitigate the risk that the repository just vanishes, maybe help to alleviate > some scaling issues like API rate limits on some platforms, and make it > easier for would-be contributors to maintain a public fork for the platforms > that make it complicated or impossible or have unreasonable ToS.
Hm. That sounds interesting, but I think the Debian project cannot protect such a mirror from automatically bringing in non-DFSG content that appears in the remote repository. One might even take this one step further and go to content forbidden by law in various jurisdictions. Having a Git forge where developers (who have manually created accounts and agreed to terms of use) will always choose what to push and what not to push takes care of this problem, or at least moves the responsibility on to the developers themselves. An automatic mirror cannot do that. (and no, even if one says "well the responsibility is on the developer who first marked that remote repo for mirroring", no, I don't think there is a way that developer can know that, two weeks later, somebody will push bad stuff there) G'luck, Peter -- Peter Pentchev r...@ringlet.net r...@debian.org pe...@morpheusly.com PGP key: https://www.ringlet.net/roam/roam.key.asc Key fingerprint 2EE7 A7A5 17FC 124C F115 C354 651E EFB0 2527 DF13
signature.asc
Description: PGP signature
