Web lists-archives.com

Re: concerns about Salsa

Dmitry Smirnov writes ("concerns about Salsa"):
> Imagine my surprise when I've found that Salsa is not using our own
> GitLab package at all.

Salsa is hardly the first Debian production service to not be running
the packaged version of its primary application, and it won't be the
last.  ftp.debian.org isn't running the packaged version of dak.

Even my own git.dgit.d.o isn't running the packaged version of
dgit-infrastructure; it executes out of a git clone.  (I took the
trouble to implement `dgit clone-dgit-repos-server' and the
corresponding server end so make sure that the source code for the
server is always public.)

> I would understand if there were no choice but Salsa admins clearly
> chosen to discard GitLab package in favor of vendor binaries

However, I hope it's not running vendor-provided binaries.  That would
be quite poor IMO and a big departure from our normal practice.  Are
you sure that that is the case ?

> Aren't we sending a wrong message that packaging is not important?

In practice, I have found that it is much easier to deploy a
production service directly from its git tree.  This makes it much
easier to make changes.

With modern red-queen's-race[1] webby stuff there are also sometimes
problems with a mismatch of security update models.  IDK how bad that
problem is in the Ruby ecosystem.


[1] https://en.wikipedia.org/wiki/Red_Queen%27s_race

Ian Jackson <ijackson@xxxxxxxxxxxxxxxxxxxxxx>   These opinions are my own.

If I emailed you from an address @fyvzl.net or @evade.org.uk, that is
a private address which bypasses my fierce spamfilter.