Re: [RFC] General Resolution to deploy tag2upload

Thu, 13 Jun 2024 02:05:35 -0700 

On Wed, 12 Jun 2024 at 16:20, Jonas Smedegaard <jo...@jones.dk> wrote:
> To answer your convoluted question, I am suggesting that Salsa and
> tag2upload has very different needs (multi-user write versus multi-user
> append-only, drastically simplified), and consequently to not argue that
> reuse of Salsa for hosting tag2upload is a security benefit.

IMHO this is an interesting point that can be a real and useful
feature of the tag2upload system.

Think of it as a source version of snapshots.debian.org - if
tag2upload always saves the tagged state
of the repository to a separate append-only git server whenever it
processes a signed tag, that
would provide a clear archival backup of the exact state of software
that was processed for upload.

It does not matter where tag2upload gets the initial tags from - it
could be Salsa, it could be Github,
it could be a developers self-hosted git server that is added to some
tag2upload config file for polling,
like Plane Debian works. tag2upload could pull from a bunch of git
sources. The config of those
repos does not matter anymore because tag2upload takes care of
signature verification and of archiving.

And where exactly tag2upload keeps it archive does not really matter,
as long as it is an append-only
git server (at least for the repos that tag2upload writes to, which
can be separate from actual development repos).

With that kind of setup, you could not only (like today) go to
snapshots.debian.org to get the exact binary of the
uploaded Debian package with its real state at any particular day in
the past, but also go to the archive git
server of tag2upload and for any processed tag check out the exact git
state that was processed, regardless
of anything that was later done to the original development
repo/server. Even if that server goes down, the archive
will remain.

-- 
Best regards,
    Aigars Mahinovs        mailto:aigar...@debian.org
  #--------------------------------------------------------------#
 | .''`.    Debian GNU/Linux (http://www.debian.org)            |
 | : :' :   Latvian Open Source Assoc. (http://www.laka.lv)     |
 | `. `'    Linux Administration and Free Software Consulting   |
 |   `-                                 (http://www.aiteki.com) |
 #--------------------------------------------------------------#

Reply via email to