Hi, On 6/25/24 09:38, Brian May wrote:
But like it or not mistakes can happen. e.g. somebody applies a security update to the project. And uploads it to Debian. But forgets to do a git push to salsa.
You can only call it "forgetting" to do a git push if you introduce a policy that contributions to git-maintained packages have to be made through git.
Which is a completely sensible policy, but it needs to be introduced as a policy (and communicated to the Security Team, and added to the Developer Manual), not as a necessary consequence of a technical change as so many policy changes in the past years.
Then later on - maybe months. Or years. The packages I deal with don't change frequently. Somebody else makes changes to the git based on the salsa repo.
As long as the policy is that the authoritative version of a package is in the archive, there needs to be an automated process to import uploaded packages back into git.
Also, the salsa repo is not the authoritative version either. The dgit repo is.
Simon