RFC: Fedora revamp proposal

Kevin Kofler kevin.kofler at chello.at
Mon Mar 11 16:59:32 UTC 2013 

Michael Scherer wrote:
> Given the target of rawhide, I expect people to be able to clean the
> unneeded packages after a while. Heck, like they do for packages that
> got orphaned and removed.

My concern is not Rawhide, my concern is stable releases, especially if one 
upgrades from one release of Fedora to the next, then to the next etc. 
Fedora installations usually go through many upgrades, seeing how we release 
every 6 months. The problem with your proposal is that it is focused on 
Rawhide and ignores the impact on our actual releases.

> And do you have any number ? Cause I have been running distro with such
> policy and "many MiB" still doesn't make much to my experience, so
> provides credible numbers if you wish to make your point , especially
> when talking to people who have seen this policy in action.

Let's just take one of the few compatibility stacks we actually have to 
carry (because porting is far from trivial) as an example:

Name        : qt3
Version     : 3.3.8b
Release     : 41.fc17
Architecture: i686
Size        : 10467741

Name        : kdelibs3
Version     : 3.5.10
Release     : 42.fc17
Architecture: i686
Size        : 38669698

Name        : kdebase3
Version     : 3.5.10
Release     : 20.fc17
Architecture: i686
Size        : 17612161

Name        : kdebase3-libs
Version     : 3.5.10
Release     : 20.fc17
Architecture: i686
Size        : 1317496

Now multiply this by the number of soname bumps in the lifetime of an 
installation (just look at how often there are broken dependencies from a 
soname bump in the Rawhide reports) and see for yourself what doing the math 
leaves you with.

And in addition to the space issue, the old libraries would also be 
unmaintained and not get any security fixes. Maintaining all the old 
libraries with old sonames we ever releases just does not scale! See e.g. 
how upgrading to a new version for security reasons is explicitly listed as 
an exception to the policy of not bumping sonames in updates for stable 
releases in https://fedoraproject.org/wiki/Updates_Policy . It's all the 
more valid for Rawhide / between different releases (because each individual 
release goes EOL after ~13 months, Rawhide never goes EOL, nor does Fedora 
as a whole of course, so old stuff can get REALLY old). Leaving old 
unmaintained libraries lying around on user systems is a security disaster!

> I do not see how it would feel wrong to try to fix a issue by changing a
> policy. And I do not see why Rawhide should be less important than
> stable for that matter.

Because the whole purpose of Rawhide is to serve as a development bed for 
our stable releases. Rawhide is not and should not be our product, our 
releases are.

And in any cases, the releases do exist and you cannot entirely ignore their 
existence in your proposal.

> Usually, you have 3 months for branched to make sure everything is
> rebuild and that there is only 1 version of a lib. Have you read what
> Olav said, about "packages without source rpm will be removed after 2
> weeks", and "then they show as having "broken deps in report" ?

Removing the old packages is not enough, you actually have to add Obsoletes 
to the current version if you don't want the old versions to accumulate on 
upgrades from one stable release to the next.

And who is going to enforce the Obsoletes? It WILL get forgotten more often 
than not. We already have enough broken upgrade paths as it stands.

In addition, having those Obsoletes will make users complain "Why does yum 
want to remove the compatibility library my [broken, not recompiled against 
the current Fedora] third-party package needs?", whereas not having them 
will make old (and unmaintained!) versions accumulate (as I said before). 
The best way to avoid such confusion is to avoid setting false expectations 
in the first place by just not version-suffixing the libraries.

> Not to mention that having the old version for a few days doesn't mean
> people cannot go ahead and rebuild their packages as they do now, the
> only difference is for users, since this permit to have a installable
> rawhide for a more longer period of time.

Just to avoid a window of a few days, your proposal wants to introduce a 
version suffix we're stuck with forever. This seems very wrong.

> yum history undo work fine for simple and medium cases, but after a
> while due to the level of churn on stable release, it can break :
> http://pastebin.com/Bdt6ngy2

The use case I was talking about is, you try the package, you don't like it, 
you uninstall it (before doing any other yum operations). Indeed, undoing an 
older yum operation may or may not work. But it's not the common case: Why 
would you want to uninstall a package after deciding you like it?

> That's just package naming. If you are more concerned by the name of the
> rpm than by having users, there is priority issue.

We have users right now, without your proposal.

And naming is an important issue: If you buy beef lasagne, you don't want to 
have horse meat in them! Likewise, if you install kdelibs4, you don't want 
to get kdelibs 3 installed.

> That's still not explaining. 2 is not "several".

With the security issue, I listed 3 reasons now. :-) There are certainly 
more, but those 3 are already severe enough to make your proposal a complete 
no go.

> And "I do not accept solution" is not the same as "there is no solution".

It's not that *I* don't accept your "solution", it's just that it doesn't 
work.

        Kevin Kofler

More information about the devel mailing list