On Wed, 12 Jun 2024 at 22:01, Joerg Jaspert <jo...@debian.org> wrote: > > On 17258 March 1977, Luca Boccassi wrote: > > > > > "My security recommendation in this case is therefore to centralize > > the risk as much as possible, moving it off of individual uploader > > systems with unknown security profiles and onto a central system that > > can be analyzed and iteratively improved." > > > So I don't think this is a good argument. One system is better than > > two. And we need to secure all of it anyway, as Salsa is a component > > of the solution anyway. > > Nah. Without having looked through the dgit source - having a system > beside salsa do this for Debian is much preferable. > > The gitlab for salsa is > a.) forcing us to follow a way that does *not* fit how Debian works for > uploads
I have no idea what this means, sorry. > b.) a codebase so much larger and made out of so many more components > than all of this proposals code combined together, it will be *worse*. > I mean, look at the security history of Gitlab. Sure, they are fast in > fixing. But they are *constantly* fixing things up with "critical > release, apply ASAP". You can take that paragraph, do s/Gitlab/Linux kernel/ and it would still 100% apply. So do you propose that this additional forge runs on Hurd then? It's got no security advisories! A nice and clean security history.
