On Thu, Aug 16, 2018 at 4:09 PM, Stephen Gallagher <sgallagh(a)redhat.com> wrote:
I'd *really* like to see us get to a point where package review
is
fully-automated. Basically we could just have a web-service that you pass a
URL to an SRPM plus authenticate with your FAS account and it will perform
all of the validity checks and if they all pass would go ahead and request
the branches for you and import the SRPM.
Once this is fully automated, we can then *also* add the same checks to CI
(taskotron, OSCI or whatever) so that on each build it gets rerun, which
will allow us to help reduce the rate of packages falling out of compliance
(as well as being updated whenever the checks get made more comprehensive).
Historically, we've had human review mainly to protect against two things,
bundling and unacceptable licenses. In both of these cases, I'd like for us
to move towards a culture of assuming goodwill on behalf of our packagers.
Most of the packagers in Fedora have been doing it for a long time and know
what is and is not acceptable. Optimizing for the minority case is wasteful,
especially when it adds hurdles and delays to getting software delivered.
Also (at least in my experience), generally licensing issues get
caught by a human inspecting the output of "licensecheck", which
fedora-review currently runs automatically anyway. If the automated
review process did this and showed the results to the packager, I bet
we would catch a lot of the licensing/bundling problems.
Anyway, I really like this idea. Maybe we should still require
quasi-manual reviews for new contributors as part of the sponsorship
process, though?
Ben Rosser