On June 12, 2024 8:03:59 PM UTC, Luca Boccassi <bl...@debian.org> wrote:
>On Wed, 12 Jun 2024 at 19:24, Russ Allbery <r...@debian.org> wrote:
>>
>> "Adam D. Barratt" <a...@adam-barratt.org.uk> writes:
>> > On Wed, 2024-06-12 at 10:43 -0700, Russ Allbery wrote:
>>
>> >> There was more confusion about this point than I had anticipated, so I
>> >> want to emphasize that the dgit-repos server is not a forge, is not a
>> >> competitor to Salsa, doesn't replace Salsa in any way, and is not
>> >> something that people interact with the way that they interact with
>> >> Salsa. It's much closer to a Git equivalent of archive.debian.org: a
>> >> persistent historical record accessible via the Git protocol and (as I
>> >> discovered during this thread) a cgit web interface.
>>
>> > In that sense, it's more like snapshot.debian.org, I think?
>>
>> Yes, apologies, that's a much better analogy.
>
>But you don't push to snapshot, it's just a backup method, it doesn't
>take any input from DDs (AFAIK? Am I wrong?). Given
>https://browse.dgit.debian.org/ exists and has tons of stuff already,
>and this proposal for tag2upload doesn't exist yet, I gather that dgit
>is already a thing that is used independently of tag2upload? I mean,
>that's how it was explained to me yesterday anyway.
>
>So I don't think this analogy works. One couldn't say "let's remove
>archive.debian.org, just push to snapshot.debian.org", but one could
>say "let's remove salsa.debian.org, just push to dgit.debian.org".
I think it is more accurate to say that they are mirrors. They both contain
details of current and historical packages. The difference is that snapshot is
downstream of the archive, while these putative the tag2upload repositories are
upstream.
It's it being upstream of the primary archive that makes it far more security
sensitive.
Scott K
