On Thu, 18 Feb 2016 14:42:12 -0700 Stephen John Smoogen smooge@gmail.com wrote:
One of the requests was to have snapshots of the guidelines that we worked each channel against so that it was clearer what 5 wanted versus 6 wanted.
Sure, we have it divided into 5 and 6 here (I assume we don't have too many changes from 7): https://fedoraproject.org/wiki/EPEL:Packaging
Yeah. I think we could include 2 versions of everything (at the cost of 2x of the mirror space and bandwith), but then you have things like foo-1.0 has a major security bug and foo-1.1 came out to fix it, and you trick someone into downgrading or installing the old one and exploit them. ;(
If we don't delete them from koji we aren't fixing anything because if I can trick you to downgrade, I can trick you to go to the version in koji because it has the fix needed. [Since I have seen people talk about their systems getting broken into after they did exactly that.. I think it isn't going too far in assumptions :)]
Well, it becomes a great deal harder.
1. Hey, you should 'yum downgrade foo' because the newest one isn't good.
vs
2. Hey, you should download this https://kojipkgs.fedoraproject.org/blah/blah/blah/foo.rpm and 'yum --nogpgcheck localinstall foo.rpm' because the new one is broken.
The first one sounds a lot more legit. I think not having it in enabled repos makes it a good deal more clear.
Or not promise it at all. I think the underlying issue is that people think we do have full-time people working on EPEL with the same controls (if not more) than we have in Fedora.
Could be, yeah.
- EPEL only covers part of Enterprise Linux (the Server product)
but a lot of packages are for the Workstation but there is no way to see when things replace/conflict with them. [People believe that we build against the equivalent of CentOS-5/6/7 versus a subchannel.]
Yeah, not sure how to fix that without a second workstation branch. :(
The only monstrosities I have thought of were: epel-server-N epel-workstation-N epel-combined-N
which sounded like a ton of work for little benefit.
Yes.
OH yeah.. that was one of the items.. why is the website so old and dead. I told them your story about trying to fix it up and finding parts reverted over and over again. Someone recommended : Just start from scratch and kill the old stuff. Which I think was part of the "recharter" talks.
I'd fullly support someone working over the wiki... always good. ;)
Not sure I have the cycles to do it myself tho.
kevin