Re: RFC: Central version control for Debian
Quoting Joey Hess (email@example.com):
> Matt Zimmerman wrote:
> > Recent discussions about auditing have gotten me thinking about Debian's use of
> > version control (or lack thereof). Currently, the situation is left in the
> > hands of individual developers. Many of them use CVS; some use other methods;
> > some use no version control at all.
> At the past two Atlanta Linux Showcases, there have been two main
> themes of discussion. One is autobuilding all of Debian (and
> build-dependancies are making that more and more possible, though there
> are still hurdles). The other is checking it into cvs.
In my opinion _proper_ autobuilding depends on an CVS (or some similar tool)
> Presuming we could find someone to donate the disk space, I think it
> would be worth it. Matt listed some of the nice benefits it would yeild.
As we already discussed in Atlanta, I'm willing to donate the diskspace
to set this up on the central servers.
The advantages that we will gain from a CVS/autocompile (make world bootstrap)
combo are easier security audits, far less dependency problems since
everything is build on the same foundation in contrast to the 600 or so
different environments that packages are currently build in.
It is the foundation on which the trust of our users/customers
in our distribution can be build. This would be an attribute that
would help the entry of Debian into the corporate world enormously.
It would allow us to eventually do weekly builds of the binaries for
the whole distribution, at least for those architectures where we
have fast enough compile machines to compile everything in a timely
There is one more reason why are actually _must_ have a source
repository. There are laws (and also the GPL itself IIRC) that
require us to keep the sources available for a couple of years.
Currently nobody would be able to reproduce this. IANAL but
theoretically we could be held accountable for damages if we can't
reproduce packages that have been published on our ftp servers.
We could not publish repositories like unstable, testing, etc anymore
since nobody archives _all_ the changes in there. This can only be
done via a central source archive.