Proposal to reduce anti-bundling requirements

Haïkel hguemar at fedoraproject.org
Sun Sep 13 13:13:05 UTC 2015 

2015-09-13 10:16 GMT+02:00 Andrew Haley <aph at redhat.com>:
>
> The development model followed by much of the upstream world is
> immature: it may not even be repeatable, let alone well-defined.
> Shoehorning upstream's mess of bundled requirements is a very useful
> service that we can provide to our users.  By behaving in a mature way
> we can show that free software can be more reliable (predictable,
> trustworthy) than proprietary software.
>

That's quite the idyllic picture and it might have been true a decade ago.

But, distros have lost the influence they used to have then, we're in the
cloud/container era where people bundle everything ...

Before, upstream used to welcome patches to unbundle libraries or
we just ignored niche projects with difficult upstream.
Now, it's very common that large upstream projects just tell us to get
lost.

Results:
1. Packages maintainers burning out in following fast-paced projects
as some bundled libs have older API than latest releases, others are
heavily modified, and others are added.
2. Decrease in quality as these changes rejected by upstream are not
tested in their CI or by their community. Let's recognise that our QA for
packages is quite weak.
3. We can't ship a lot of "critical" packages for our users that ends up
relying on third party repo with far *lower* standards, or switch to other
distros.
4. Bundled libs are sneaked in thanks to sloppy incoming reviews and
that we usually don't review existing packages.

1 => it's important that we do not task our fellow contributors with
unreasonable efforts.

2 & 3 => that's something that makes us less relevant for end users

4. => ruins completely the effort. Moreover, security team can't track
CVE for these bundled libraries as they're not announced.


The difficulty is here to keep the incentive of pursuing the effort, while
relaxing the rules to discourage bad practices from our folks, and keep
Fedora relevant to users.

Long-term solution would probably be rings or alike, so we could focus
on properly curated core, and have groups focusing on a small set of
packages without affecting the rest of us.



> I remember the time before free software distros like Fedora: it was
> chaotic, with messes of bundles and contradictory dependencies from
> all over the place, with no reliable tools for finding things.
> Relying on the upstream ecosystem's way of sorting this out, with a
> different mechanism provided depending on programming language, isn't
> going to do it.
>
> Andrew.
>

The world has changed, and containers have made this problem less
relevant so it's gonna stay like this for a while.
Ignoring that fact would just lead to our downfall, and leave the space
to alternatives with lesser quality.

H.

More information about the devel mailing list