salsa

Posted Jul 4, 2024 6:46 UTC (Thu) by LtWorf (subscriber, #124958)
Parent article: Debian debate over tag2upload reaches compromise

There are some problems with using salsa as the ultimate source of truth: it isn't.

I have done non maintainer uploads to packages that were soon going to be removed due to grave bugs. And when trying to sync salsa with my changes, I found out that I had no write access on that particular repository.

The same happened when someone else made an NMU to some package of mine: I had to sync the changes with salsa.

Since an NMU is usually done in case of important or grave bugs, a new workflow that might result in fewer NMUs being done, could result in issues remaining around for longer (or packages being removed).

salsa

Posted Jul 4, 2024 8:16 UTC (Thu) by bluca (subscriber, #118303) [Link]

That's an ACL problem though, that we should fix independently

salsa

Posted Jul 5, 2024 19:43 UTC (Fri) by smurf (subscriber, #17840) [Link]

> There are some problems with using salsa as the ultimate source of truth: it isn't.

It's not intended to be. The signed tag is picked up by t2u and then pushed to an append-only git repository (to check it out: https://browse.dgit.debian.org). That, plus the source archive (the two are supposed to contain the same data after all, at least when you consider the trees linked to the actual tagged commits), is the "source of truth".

Whatever else happens on salsa and/or some other git repository is something Debian will have to deal with sooner or later, true, but that's independent of t2u,