[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: tag2upload service architecture and risk assessment - draft v2

On 15508 March 1977, Sam Hartman wrote:

First off: I, for personal reasons, am a bit detached right now with
anything Debian (though that should change soon). For that reason, I
haven't read most of the mail threads, though i skimmed over this one a
bit.


    Scott> Your proposal completely changes the notion of what our
    Scott> package archive is while, IMO, pretending to be something
    Scott> else.



During the DPL campaign, a number of people, including Joerg, made
statements that I interpreted as explicitly wanting to make this change.
That is, they wanted to move our authoritative source format to Git,
possibly even getting rid of dscs in the medium future.


Yes.


Now we all get to think about it and decide how their implementation
experience influences whether we think it is a good idea.


I currently do not have too deep a thought on how good their
implementation is. Just one thing I've seen picked at multiple times,
and in different places: The current implementation appears to move away
the final integrity check linking an upload to a person away from the
archive software to some other.

Thats a no-go.

Note: I do not say it must be "a dsc" "a git commit" or "a something"
that is used for this check. That is an implementation detail. But the
final check/link of an upload with a maintainer(s key) has to be "in"
the archive. Systems before it can *additionally* do any number of them,
but the final one is in dak.


At least in my mind, this is all predicated on believing that moving
away from today's dscs toward git as authoritative source is actually a
good idea.
If you don't believe that, then you're never going to like this proposal
at all.
I guess you could decide you want tag2upload somehow even though you
don't want that transition.
I personally don't see how you get there unless you buy into the idea of
moving toward git as source.
Also, I want to make it clear that the DPL campaign didn't establish a
project direction.  It established enough interest that the idea was
worth exploring.
I'm not saying that because people brought this up in the campaign,
we've somehow decided to make a change.
I'm also not saying that this is somehow a DPL issue because it happened
in the DPL campaign.


I do like (as I stated in the past too) to move to something more git
like. I still want to keep the link between upload and maintainer in the
archive. I am sure that is achievable somehow. It may require one more
roundtrip with the maintainer for a signature.

Also, note that entirely relying on git for stuff introduces us back to
sha1, something the archive got rid of. Going backwards doesn't seem to
be a good idea?!

--
bye, Joerg
Reply to: