Umh... > I am still making my way through the discussion, however, and there > are many bits I haven't understood. But the project has (mostly) > decided and adopted Salsa as our project-wide Git "thingy". If it were > feasible to adequate Salsa to add the ACLs needed for tag2upload to be > securely deployable, I don't follow the need to have a second Git > implementation we'd all have to interface with (in order to use > tag2upload). > > And even if Salsa is deemed insufficiently prepared (or having a too > large vulnerability footprint), a second, hidden Git-based server > could be made to pull from Salsa, quietly syncing and acting when the > right tags are found. And, of course, loudly complaining to users if > any invalid operation (i.e. history rewrites involving published tags) > were attempted.
After reading a bit more, I find I'm describing... precisely bits that you have already considered and incorporated in the proposal itself. so, sorry for the noise. I shall continue reading in order to... understand why the controversy I'm replying to even started :-Þ
