On 2024-06-13 05:31:13, Sean Whitton wrote:
> Hello Antoine,
>
> Thank you for your interest.
>
> I think I should say right away that tag2upload != dgit.
> With tag2upload, you will be able to replace 'dpkg-buildpackage -S' and
> 'dput' with just 'git debpush'. Your other gbp usage is unchanged.
Oh, interesting. I actually rarely run dpkg-buildpackage -S
directly. It's a thing I know of, but I kind of always rebuild a binary
package from scratch. I know it's kind of silly, but I kind of think
it's important to have the package actually compile all the way through
before uploading...
[...]
> On Wed 12 Jun 2024 at 11:08am -04, Antoine Beaupré wrote:
>
>> I understand the proposal doesn't directly say "oh yeah, we're actually
>> thinking we should ditch salsa and replace it with all those nice little
>> small components", but it is certainly taking a stand that Salsa is not
>> good enough to provide the level of security that is required to upload
>> packages in Debian, and saying that is saying a lot because I suspect we
>> are *actually* trusting Salsa and GitLab with our code much more than we
>> would like to admit...
>
> I don't think we are taking a stand that salsa is not good enough to
> provide any particular form of security.
> In fact, I don't think that tag2upload changes the extent to which we
> trust salsa: we would not be trusting it any more nor any less. Perhaps
> you could take another look at the design.
Yep, clearly I missed something. I somehow assumed that we were
bypassing salsa entirely here, but reading rra's audit, I see we
actually fire a hook from salsa to to get the tag2upload machinery into
gear, so that lessens that concern quite a bit!
> (In the background: I very much share your view that we are actually
> trusting salsa far much than we generally think we are.)
Yeah, that thing is just scary, I have to say... But that's the hand
we're given, alas.
a.
--
Man is, at one and the same time, a solitary being and a social being,
- Albert Einstein
