Re: [RFC] General Resolution to deploy tag2upload

To: debian-vote@lists.debian.org
Subject: Re: [RFC] General Resolution to deploy tag2upload
From: Luca Boccassi <bluca@debian.org>
Date: Wed, 12 Jun 2024 00:40:56 +0100
Message-id: <[🔎] CAMw=ZnQBP9x1tDedK=ZHYFE3vJ4imA_+0rb3PS8fz2jajhKmFg@mail.gmail.com>
In-reply-to: <[🔎] 87wmmvrubl.fsf@melete.silentflame.com>
References: <[🔎] 87wmmvrubl.fsf@melete.silentflame.com>

On Tue, 11 Jun 2024 at 23:25, Sean Whitton <spwhitton@spwhitton.name> wrote:
>
> Hello everyone,
>
> This is a draft GR.  I'm posting it now for textual review, because of
> the relative shortness of our official discussion periods.
>
> After some time for review, I'll post again seeking seconds.
>
> The first sections are an introductory discussion.  For the actual GR
> text, scroll down to the bottom of this e-mail.  Thanks.
>
> =====
> INTRODUCTION
>
> The tag2upload system, designed for deployment on official Debian
> infrastructure, allows DDs and DMs to make source-only uploads simply by
> pushing a signed git tag.  There are two key advantages:
>
> - it will be much quicker and easier for us to do most of our uploads
>
> - it improves the traceability and auditability of our source-only
>   uploads, in ways that are particular salient in the wake of xz-utils.
>
> The system works like this:
>
> 1. Maintainer types 'git debpush' to sign and push a suitable git tag.
>    The tag includes certain metadata that makes the maintainer's
>    intention to upload fully traceable, and unambiguous.
>
> 2. A robot on DSA infrastructure automatically, reliably and traceably
>    builds the source package, and uploads it to the Debian Archive.
>
> tag2upload will be an additional option for your source-only uploads;
> no-one will be required to use it.  For more information on the details
> of the system itself, I've included some links down below.

Hi,

I like the idea of pushing a git tag to upload a lot, thanks for
working on this!

One comment on the linked document:
https://salsa.debian.org/dgit-team/dgit/-/blob/master/TAG2UPLOAD-DESIGN.txt
this just uses the term "dgit" without defining or linking to some
documentation. I was not really familiar with it so I was a bit
confused by it, I'd suggest maybe adding some clarification.

And on the implementation details, I really do not like the idea of
having a competing git forge with Salsa. This dgit server seems to
just be a ye olde git-web interface. If this goes forward, in my
opinion it should exclusively use Salsa as the git server, to avoid
duplicating infrastructure. That way we have only one place to look at
for all git repos.

Kind regards,
Luca Boccassi

Reply to:

Follow-Ups:
- Re: [RFC] General Resolution to deploy tag2upload
  - From: Russ Allbery <rra@debian.org>

References:
- [RFC] General Resolution to deploy tag2upload
  - From: Sean Whitton <spwhitton@spwhitton.name>

Prev by Date: [RFC] General Resolution to deploy tag2upload
Next by Date: Re: [RFC] General Resolution to deploy tag2upload
Previous by thread: [RFC] General Resolution to deploy tag2upload
Next by thread: Re: [RFC] General Resolution to deploy tag2upload
Index(es):
- Date
- Thread