On Fri, Apr 26, 2019 at 11:53 AM stan upaitag@zoho.com wrote:
On Fri, 26 Apr 2019 11:07:54 -0000 (UTC) Petr Pisar ppisar@redhat.com wrote:
I am a fedora user with no dog in this fight.
Controversial property of modules are private build-time dependencies. Modularity allows packagers to hide them and to not to support them (to the extend that they work in my module). However, this privatisation has costs. It means duplication of work unless two ...
Isn't this contrary to the Fedora rules? If I'm understanding this correctly, it means that modules in Fedora can contain dependencies on code that isn't available, so that Fedora (and users) can't build that module from source. And that the module could contain basically anything because no one can examine the contents that built the module. Could someone privately pull in something like the proprietary nvidia binary blob and use it to build their module without anyone knowing?
Because I'm not knowledgeable about this, it might be that private dependencies have to be packages built from source code available in the Fedora ecosystem, and so this is not possible. I just want to clarify my understanding.
The restrictions by Fedora Koji prevent that, but yes, MBS and Modularity do allow for something like this. It can't happen in Fedora because our Koji is not set up to consume external repositories (except for EPEL, which consumes RHEL content this way).
But I don't know if this restriction will stick around in the future...
That said, today, modules can and do rely on unpublished RPMs that have packaging in Dist Git. It is currently impossible with some modules to be able to privately rebuild them outside of Fedora infrastructure. I've made my displeasure about this known in the past, and hopefully this will be rectified soon.