Luca Boccassi writes ("Re: [RFC] General Resolution to deploy tag2upload"):
> a completely custom local git forge reimplementation, other than
> inevitably suffering from bitrot at some point in the future, like
> all custom infrastructure, will have the disadvantage that nobody
> else uses it.The only significant custom code on the dgit repos git server is the program `dgit-repos-server` which performs access control for `git push`. This program is needed because access control for uploading in Debian is based on PGP signatures and the archive keyring, not ssh keys. Ie, it is the implementation of the dak upload policy, but for git, based on signed tags. (A design goal for tag2upload and dgit is to work *within* the existing workfllws, access control model, and so on. So tag2upload's access control is precisely that of the Debian archive.) dgit-repos-server has existed since 2014 and is currently 1500 lines long. It is part of src:dgit and dgit-infrastructure.deb, and is thoroughly tested in CI. I don't think it's in significant danger of rotting. > This is the reason Alioth is gone, and it's a very good reason. Indeed dgit-repos-server was written to get rid of a dependency on Alioth, well before it was even known that Alioth was going to be retired. Ian. -- Ian Jackson <ijack...@chiark.greenend.org.uk> These opinions are my own. Pronouns: they/he. If I emailed you from @fyvzl.net or @evade.org.uk, that is a private address which bypasses my fierce spamfilter.
