GnuPG Github mirrors

[shawn wilson]

On Oct 27, 2015 7:29 AM, "Dimitri John Ledkov" <dimitri.j.ledkov at intel.com>
wrote:
>
> On 27 October 2015 at 03:44, Robert J. Hansen <rjh at sixdemonbag.org> wrote:
> >> Following other GNU projects such as Linux and R, the GnuPG git server
> >> is now mirrored on Github:
> >>
> >>   https://github.com/gpg
> >
> > You certainly have the right to do this under the GPL, but is it wise?
> > Without community signoff your repo is going to be an unofficial mirror.
> >  People will file bug reports there and not on our bug tracker; worse,
> > since you're the owner, they'll expect you to fix their issues.
> >
>
> In git, all mirrors are equal, including the one on my laptop.
>

Well kinda and no. Git was created like that but if you look at the
majority of the repos most people have, you'll probably notice most use
only one repo (which is probably a bare repo. This means that that repo is
basically authoritative to them.

Hence my comment about commits etc not being signed - I trust that code is
how it was intended (or they'll find out they were owned almost a year ago
and let everyone know they're going through a year long code audit to
figure out if anything was messed with) if it's hosted by the maintainer.
If hosted somewhere else is maintaining the server we may never know if
they or someone else subverts the code.

So while I don't fundamentally care if the code is hosted on github,
bitbucket, sf, or whoever else, I do care if nothing is signed.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20151027/9b8f0b74/attachment.html>