Salsa is Debian's collaborative development server based on the GitLab software. Debian migrated from previously used Alioth (FusionForge based) to Salsa in Jan 2018. I consider this migration as an improvement. Of course, there are still some developers who don't like Salsa. One of the reasons is too much clicking on buttons in its web-interface, where command line is more convenient. For those who don't like clicking buttons in a web-interface there is salsa, tool to manipulate salsa repositories and group members.

This tool, salsa, is a part of the prolific devscripts package. To use it one need a Salsa token, so one has to deal with Salsa's web-interface one more time. One needs to open Setting, and then Access Tokens. After that just pick a name for your brand-new Personal Access Token, choose its expire date, and choose its scope (for the most convenience one needs api scope, which grants complete read/write access to the API, including all groups and projects). Then just add SALSA_TOKEN=your_token to your .devscripts.

Wait. Is it secure to store such a powerful thing in a form of a plain text? Hmmm, well… If there's a way to keep it in a more secure place but without lots of inconvenience, then let's do it.

Save your Personal Access Token to a local file, say .salsa_key and encrypt it with gpg:

$ gpg --recipient <email_associated_with_your\gpg_key> --encrypt .salsa_key

Now you have plain text .salsa_key file and encrypted .salsa_key.gpg file. Then it is required to fix your .devscripts file. Remove your token from the line starting with SALSA_TOKEN= and change it to

SALSA_TOKEN=$(gpg --quiet --decrypt ~/.salsa_token.gpg)

After that just delete plain text .salsa_key file from your computer. Now your Personal Access Token is secured with your GPG key. Just try

$ salsa whoami

command, and good luck with your Debian contributions!