Hello Raphael, I read your document. I am really excited since I first heard about Debusine, at the same time I feel exceptive about it. This is not a minor task, and there are a lot of considerations to be made for such kind of system to become production ready drop-in replacement for the current infrastructure.
First of all that comes to mind is the chain of *dependencies* of the software in terms of long term *maintainability*, the ease to adapt the code for newer needs and the ease to update and upgrade this system when running in a production environment. Who would be the long term maintainer of this infrastructure providing security support and newer updates. The current production system has very few dependencies (python interpreter and few standard libraries, it uses no complex frameworks, a bit of shell, perl, ... whatever available at the time), wanna-build, a PG DB that helps orchestrate the builds (for different suites) with also very few dependencies. So, the obvious question arise, why should we upgrade the existing to a different one? (retoric question, later I give a potential reply to this). The need of few dependencies is also good for controlling the attack surface, which brings up the topic of *security* of the system, an assessment/audit should be made and be taken seriously. I mentioned I was excited about Debusine (replying to the previous question), my expectations are very high and I think it is great to modernize a software stack which has been organically growing over at least last 20+ years, better integration with other Debian services would be great, instead of having the sense of running the distro on a giant crontab. I also mentioned I was exceptive and that is because I feel that replacing all the current sub-systems or even orchestrating them over a single tool is very challenging and hard work. Getting into this particular topic on replacing buildd and potentially other components needs much more discussion, first item for me would be on building embargoed security updates (how secure and confidential that would be?) Thanks very much for supporting this effort despite of the big challenge this represents.
