Hello, Since Rhonda mentioned on IRC last night that she is working on a package that supports both type of use-cases — workstation-originated installs (easy-install, this is how gitolite was designed upstream), as well as server-based installs — I've been thinking about the issue a bit and would like to argue that only server-based installs should be provided by the Debian package. The reason is quite simply related to upgrades and security: with a server-based install, we have all files under dpkg-control and can thus address upgrades and security issues with new files and maintainer scripts. If the user ran easy-install, then the source files are likely to live on a separate machine, outside of our control. The user may not be aware of that fact (at least not consciously), and might not know that s/he is expected to react to security issues by pushing new versions manually. While the easy-install use-case is certainly a nice one, I think that we should confine that to from-repo clones, just like upstream suggests to install from a clone rather than a tarball. If the user cloned a Git repositorym, s/he can be expected to update it once in a while, and hopefully will remember to push updates to server installs. From the Debian packaging point of view, I think we are in a position to contain this proliferation of untracked installations, thanks to the availability of APT. I think this is the proper use-case for Debian, and for users to run their own repositories off servers is then only a matter of having the admin install gitolite — when otherwise they might have to ask for git-core anyway. In fact, I think the easy-install script, as nice as it is, should not be installed by the Debian package. I hope this makes sense. -- .''`. martin f. krafft <madduck@d.o> Related projects: : :' : proud Debian developer http://debiansystem.info `. `'` http://people.debian.org/~madduck http://vcs-pkg.org `- Debian - when you have better things to do than fixing systems
Attachment:
digital_signature_gpg.asc
Description: Digital signature (see http://martin-krafft.net/gpg/)