Hello Antoine, Thank you for your interest.
I think I should say right away that tag2upload != dgit. With tag2upload, you will be able to replace 'dpkg-buildpackage -S' and 'dput' with just 'git debpush'. Your other gbp usage is unchanged. Thank you for sharing your recent work experience with scalability and concerns that it might apply to the dgit-repos server. I'll let Ian reply to that part. It is interesting that you see this proposal as the tip of an iceberg and that you would like to see more of the wider context, because Helmut said something similar to me yesterday. The way I see it, one thing that we can be sure about is that whatever else we might want to do in the future with our git/salsa transition, we know that we will want to do source-only uploads by pushing a signed git tag. We can implement that now, so let's do it. On Wed 12 Jun 2024 at 11:08am -04, Antoine Beaupré wrote: > I understand the proposal doesn't directly say "oh yeah, we're actually > thinking we should ditch salsa and replace it with all those nice little > small components", but it is certainly taking a stand that Salsa is not > good enough to provide the level of security that is required to upload > packages in Debian, and saying that is saying a lot because I suspect we > are *actually* trusting Salsa and GitLab with our code much more than we > would like to admit... I don't think we are taking a stand that salsa is not good enough to provide any particular form of security. In fact, I don't think that tag2upload changes the extent to which we trust salsa: we would not be trusting it any more nor any less. Perhaps you could take another look at the design. (In the background: I very much share your view that we are actually trusting salsa far much than we generally think we are.) -- Sean Whitton
