GnuPG Github mirrors

Daniel Kahn Gillmor dkg at fifthhorseman.net
Mon Oct 26 23:14:48 CET 2015


On Mon 2015-10-26 15:58:47 -0400, Jeroen Ooms wrote:
> On Mon, Oct 26, 2015 at 8:05 PM, Kristian Fiskerstrand
> <kristian.fiskerstrand at sumptuouscapital.com> wrote:
>> why would anyone want to move away from libre repository hosting (and
>> issue tracker, wiki etc) in favor of a proprietary solution where you
>> potentially have no control of your own data in the future?
>
> It's a *mirror*, I'm not sure where exactly you got the moving away
> part. Think of it as a similar role as ftp mirrors, but then for
> browsable code, commits, etc. Using it is entirely optional, you don't
> have to give out control of your data to anyone.

Hi Jeroen--

Thanks for taking steps to try to help with the GnuPG community.  It
looks to me like you've taken more steps rapidly without consultation
than others in the community are excited about.  This is a community
that has strong opinions about software and network service freedom,
maintainability, and longevity.  It's possible that the community as a
whole will decide that github isn't the right place for the GnuPG
project (even for a mirror), but hopefully that won't put you off from
helping with the GnuPG community in other ways.

Let me clarify some of the things that seem like they might be
premature:

Kristian has brought up the non-free tooling concern.  This is a real
issue, and it's clear that the centralization github provides has
specific risks to a community that relies on it (it also has advantages,
of course!).  As users of free software and free network services, we
can be more in control of our own data.

GnuPG already has relationships with mirror servers in place:

 https://gnupg.org/mirrors.html

It's not clear that a source repository mirror has the same properties
or user interaction features.

Github also has the capability for people to enter pull requests. (it
also offers issue tracking, but it looks like that's turned off at the
moment) Someone from the github scene might not realize that a pull
request submitted to https://github.com/gpg/gnupg won't make its way to
the upstream developers.

Are you committing to forward these pull requests reliably to upstream?
Do you plan to provide any sort of filtering or vetting of the pull
requests?

Other than the word "unofficial" at https://github.com/gpg, do you plan
any other way to indicate the relationship between the github gpg
project and the GNU Privacy Guard?

All the best,

    --dkg



More information about the Gnupg-devel mailing list