RFC: Central version control for Debian
Recent discussions about auditing have gotten me thinking about Debian's use of
version control (or lack thereof). Currently, the situation is left in the
hands of individual developers. Many of them use CVS; some use other methods;
some use no version control at all.
OpenBSD's best weapon in their auditing efforts is their CVS tree. They have
access to all of the code in one place, with a complete change history. Why
not set up something similar for Debian? To start, uploaded packages could be
automatically imported into 'source' and 'debian maintainer' branches. This
would, at the very least, allow for easy diffs between versions.
Eventually, it would be nice to allow maintainers to commit changes to the
repository. Things get much more complicated here. Debian has a lot more
developers than OpenBSD, and we seem to make changes much more frequently.
Developers could easily step on one another's toes. Package maintainers need
to be able to ensure that they don't miss ANY changes that are made to their
packages, lest unexpected bugs arise (or worse, malicious ones).
Having such a tool would be a huge advantage for nearly everyone:
- The Security Team could create branches from older versions to backport
fixes, and easily extract individual changes (e.g. changes to a particular
source file between two upstream releases) and merge them in.
- Maintainers adopting orphaned packages would have access to the complete
history of the package, to help avoid repeating old mistakes, and to help
understand why changes were made.
- A hypothetical security auditing team could easily and methodically audit the
entire source tree.
- Peer review could increase, as well as additional sharing and collaboration
etc., etc. The biggest barrier to making this work seems to be deciding who
should be able to commit changes where. CVS may not currently be flexible
enough for our needs; it would be nice, for example, if certain users (the
security team) were able to create a branch for a package, but not trample over
the maintainer's current stuff. Tracking is relatively easy; the official
maintainer address could be sent mail whenever a change was committed to one of