[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [RFC] Proposal for new source format

On Tue, Oct 22, 2019 at 07:33:47AM -0400, Sam Hartman wrote:
> My initial reaction is that this is additional complexity in a direction
> that we don't need.

It is not a question of complexity.  It is a question of trust and who
we want and need to trust.

If we abolish the principle that we want to need little trust as
possible and be able to verify all the steps within the archive, then we
don't actually need the complexity.  But someone needs to stand up and
proclamate exactly that.  This is what no-one did.

It we don't want to do sacrifica that, we have to stick to a chain of

> Like Russ, I generally assume that VCS-like things are the future.
> I understand there is complexity there.

What is "VCS-like"?  Please define it.  A source package is no VCS, it
does not need to be.

E.g. dgit is not a VCS-like source package, as it solves a different
purpose to a source package we ship in the archive to all our users.

Because we are running around this concept for some time now, please
help me to actually understand what you mean with it.

> But I don't understand why this proposed format would be a step forward
> in a world where we care more about VCSes.  As an example, I don't
> understand how this would make things better for tag2upload.

We had that discussion already, it is about the possibility of
reproducing the content of the upload.  The tag2upload proposal said
they can't do it and everyone need to trust this service to do the right
thing.  I like to solve this problem and allow such a tool/service to
forward the trust information by reproducing the output.

> I don't think this proposal is sufficiently well developed where you're
> going to get much good feedback on debian-devel.

What would be the correct location for it?


Those who hate and fight must stop themselves -- otherwise it is not stopped.
		-- Spock, "Day of the Dove", stardate unknown

Reply to: