Bug#550817: thoughts on a gitolite Debian package

To: 550817@bugs.debian.org
Subject: Bug#550817: thoughts on a gitolite Debian package
From: martin f krafft <madduck@debian.org>
Date: Thu, 4 Feb 2010 08:38:49 +1300
Message-id: <[🔎] 20100203193849.GA25795@lapse.rw.madduck.net>
Reply-to: martin f krafft <madduck@debian.org>, 550817@bugs.debian.org
In-reply-to: <[🔎] 20100203045521.GA315@lapse.rw.madduck.net>
References: <[🔎] 20100203045521.GA315@lapse.rw.madduck.net>

Hello,

Since Rhonda mentioned on IRC last night that she is working on
a package that supports both type of use-cases
— workstation-originated installs (easy-install, this is how
gitolite was designed upstream), as well as server-based installs
— I've been thinking about the issue a bit and would like to argue
that only server-based installs should be provided by the Debian
package.

The reason is quite simply related to upgrades and security: with
a server-based install, we have all files under dpkg-control and can
thus address upgrades and security issues with new files and
maintainer scripts.

If the user ran easy-install, then the source files are likely to
live on a separate machine, outside of our control. The user may not
be aware of that fact (at least not consciously), and might not know
that s/he is expected to react to security issues by pushing new
versions manually.

While the easy-install use-case is certainly a nice one, I think
that we should confine that to from-repo clones, just like upstream
suggests to install from a clone rather than a tarball. If the user
cloned a Git repositorym, s/he can be expected to update it once in
a while, and hopefully will remember to push updates to server
installs.

From the Debian packaging point of view, I think we are in
a position to contain this proliferation of untracked installations,
thanks to the availability of APT. I think this is the proper
use-case for Debian, and for users to run their own repositories off
servers is then only a matter of having the admin install gitolite
— when otherwise they might have to ask for git-core anyway.

In fact, I think the easy-install script, as nice as it is, should
not be installed by the Debian package.

I hope this makes sense.

-- 
 .''`.   martin f. krafft <madduck@d.o>      Related projects:
: :'  :  proud Debian developer               http://debiansystem.info
`. `'`   http://people.debian.org/~madduck    http://vcs-pkg.org
  `-  Debian - when you have better things to do than fixing systems

Attachment: digital_signature_gpg.asc
Description: Digital signature (see http://martin-krafft.net/gpg/)

Reply to:

Follow-Ups:
- Bug#550817: thoughts on a gitolite Debian package
  - From: Sitaram Chamarty <sitaram@atc.tcs.com>

References:
- Bug#550817: thoughts on a gitolite Debian package
  - From: martin f krafft <madduck@debian.org>

Prev by Date: Bug#568303: RFP: can-utils -- CAN (Controller Area Network) utilities based on Socket-CAN
Next by Date: Bug#388361: Orphaned again
Previous by thread: Bug#550817: thoughts on a gitolite Debian package
Next by thread: Bug#550817: thoughts on a gitolite Debian package
Index(es):
- Date
- Thread