Dmitry Smirnov writes ("concerns about Salsa"):
> Imagine my surprise when I've found that Salsa is not using our own
> GitLab package at all.Salsa is hardly the first Debian production service to not be running the packaged version of its primary application, and it won't be the last. ftp.debian.org isn't running the packaged version of dak. Even my own git.dgit.d.o isn't running the packaged version of dgit-infrastructure; it executes out of a git clone. (I took the trouble to implement `dgit clone-dgit-repos-server' and the corresponding server end so make sure that the source code for the server is always public.) > I would understand if there were no choice but Salsa admins clearly > chosen to discard GitLab package in favor of vendor binaries However, I hope it's not running vendor-provided binaries. That would be quite poor IMO and a big departure from our normal practice. Are you sure that that is the case ? > Aren't we sending a wrong message that packaging is not important? In practice, I have found that it is much easier to deploy a production service directly from its git tree. This makes it much easier to make changes. With modern red-queen's-race[1] webby stuff there are also sometimes problems with a mismatch of security update models. IDK how bad that problem is in the Ruby ecosystem. Ian. [1] https://en.wikipedia.org/wiki/Red_Queen%27s_race -- Ian Jackson <ijack...@chiark.greenend.org.uk> These opinions are my own. If I emailed you from an address @fyvzl.net or @evade.org.uk, that is a private address which bypasses my fierce spamfilter. Ian.
