packaging-committee

Clone
Source Code
GIT

#366 Should we hand enabling third party repositories back to fesco?
Closed: Fixed None Opened 10 years ago by toshio.

Closed: Fixed
Reopen Issue

As part of the three products WG discussions the question has arisen about whether the products should be able to enable additional repositories to get packages from:

https://fedorahosted.org/fesco/ticket/1201

In the ticket, notting notes that the current policy of disallowing isn't a fesco policy but an FPC Packaging Guideline: http://fedoraproject.org/wiki/Packaging:Guidelines#Configuration_of_Package_Managers

Further research shows that this is our ticket to approve that Guideline: https://fedorahosted.org/fpc/ticket/106

and that the ticket stemmed from a FESCo ticket: https://fedorahosted.org/fesco/ticket/671

Since this Guideline treads the border of FESCo and FPC we need to discuss a bit whether we'd like to hand this back to FESCo and if so to what extent.

I think to split this on the usual "how to package" "what to package" boundaries we might move the following to FESCo (and they could then pass them down to the WG's if they desire):

  • ''Configuration for package managers in Fedora MUST ONLY reference the official Fedora repositories in their default enabled and disabled state (see the yum repo configuration in the fedora-release package for the canonical list).''
  • This could become a FESCo/WG decision.
  • ''Unofficial and third-party repositories that contain only packages that it is legal for us to direct people to in Fedora (see the Forbidden items and Licensing:Main pages for an explanation of what is legal)''
  • This part could be shared between FESCo/WG and Fedora Legal instead of FPC and Fedora Legal.
  • ''may be shipped in %{_docdir}.''
  • This part remains with FPC as implementation... however, it is implementation of the remaining sentences. So if the remaining sentences change, this implementation may change as well.
  • ''The idea is that the system administrator would need to explicitly copy the configuration file from doc into the proper location on the filesystem if they want to enable the repository.''
  • I could see this going to FESCo as well although it's in a grey area. It's saying that no unofficial Fedora repositories are to be enable-able without sysadmin intervention at the filesystem level (how the system should be usable rather than how it should be packagable....). If we sent it back to FESCo they could instead work out that third party repositories must ship disabled but could be enabled via their yum config, a GUI tool could be used to move and enable them, or that they could be shipped enabled by default. It would then come back to us to write down how that would happen. If, as I think FESCo was leaning, some aspect of this would vary based on the Product, we'd need to specify Guidelines that would allow this to be changed per Product, not hardcoded in the Package.

If we do send this back for FESCo to allow changes, we should also note the problems with enabling non-Fedora repositories such as conflicts between the Fedora packages and the non-Fedora packages, someone needing to keep track of potential Legal issues, and overwriting of Fedora packages by the packages in the non-Fedora repo. Products implementing non Fedora repositories should take those into account.

From today's meeting:

Proposal: If FESCo would like to allow pointing to repos that don't have Official Fedora Content they can let us know and have someone propose a guideline draft that we can critique and vote on. However, after talking with Fedora Legal, the requirements for us to be able to point to repositories outside of our control may be so costly that in practice there's very few repositories that we can actually point to. Given the costs to benefits, FPC also recommends that third party repos not be enabled.

Proposal (See ticket https://fedorahosted.org/fpc/ticket/366#comment:1) Is currently (+1:4, 0:1, -1:0) will ask for more votes in ticket.

Need one more +1 to pass

  • Currently voted +1: limburgher, abadger1999, geppetto, tibbs
  • Currently voted 0: RemiFedora
  • Still need votes from spot, racor, Rathann, SmootherFr0gZ

Since this is informational to FESCo, if we don't get more votes before next week's FESCo meeting I'll simply let them know the proposal and the vote count.

+1 from me.

Background information from meeting that I'll include when I send this to FESCo:

  • Most but not all FPC members agreed that the basic allow or disallow could be decided at FESCo level and then FPC could decide on the how to package in accordance with that decision.
  • The votes against the proposed message to send to FESCo fell on the side of not wanting to see third party repos enabled.
  • Fedora Legal (spot) spelled out the requirements for pointing to repositories that we don't control and they are pretty heavy.
  • Ongoing vetting of packages inside of the third-party repositories to make sure they do not contain legally problematic packages.
  • copr/repos.fedorapeople.org can be considered third-party for the purposes of Fedora Legal's responsibilities.
  • These responsibilities also apply to repos listed in %docdir under the current policy but Fedora Legal knows of no repos listed in %docdir and so hasn't had to do any ongoing vetting.
    • (I had not realized this... I'm thinking about suggesting we do not allow shipping repos in %docdir because they require ongoing vetting if fesco chooses not to ask us to allow enabling third party repositories)
  • FPC felt that deciding which repos would be allowed was best done in FPC with collaboration by Fedora Legal
  • From the above conversation with Fedora Legal we anticipate that Fedora Legal would disallow a large number of the repositories people might want to point to.
  • FPC Members were split on the benefits of this but all agreed that there was high cost.
  • Benefits seen -- some people don't want to get their packages into Fedora but end users may want to use those packages. So might as well make it easy to find. Counterpoint: If we can point to it from Fedora then we might as well get it into Fedora even if that means a new fedora yum repo or more special cases for specific software.
  • Costs: Fedora Legal has to spend much more time vetting the packages in third party repos that we're pointing to on an ongoing basis.

Current vote: (+1:5, 0:1, -1:0)

  • Currently voted +1: limburgher, abadger1999, geppetto, tibbs, Rathann
  • Currently voted 0: RemiFedora?
  • Did not vote: spot, racor, SmootherFr0gZ

That's enough to pass. I'll send this along to FESCo. Other members of FPC can still vote for the record if they like (Since this is partially about giving an opinion to FESCo, that information can be useful).

Statement passed on to fesco ticket.

I could not vote during the last meeting, because I was pulled away:

My vote on this proposal: -1

Metadata Update from @toshio:
- Issue assigned to toshio
7 years ago

Login to comment on this ticket.

Metadata
None
None
None
None
None
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.