What do we want to archive with Fedora?

Jason L Tibbitts III tibbs at math.uh.edu
Sat Dec 23 20:45:53 UTC 2006 

>>>>> "RS" == Rahul Sundaram <sundaram at fedoraproject.org> writes:

RS> Thorsten's idea of a add on repository within the project was
RS> clear to me. However letting other packages (besides
RS> fedora-release) add additional repositories looks entirely
RS> different. Why would you want to ever allow that?

Firstly, I'll point out that my phrasing was carefully chosen:

"this would be an example where it could be considered reasonable for
a package to add a repository."

Note that "it could be considered reasonable" implies very little
about my opinion; I'm just trying to bring up points for discussion.
However, let me lay out an example:

We put kernel modules in an separate repository internal to the
project (so there are no legal issues here to worry about).  We want
to make the repository available, but not enabled or even installed by
default.  There are a few choices:

1) Require that users manually add a file to /etc/yum.repos.d.

2) Require that users fetch a package from the web to add the
   repository: rpm -ivh http://whatever

3) Put the repository definition in a package in the Fedora
   repository, so that it can be installed with yum.

Note that only #3 gets the repository installed and manageable through
our package system with all of the security guarantees that a package
signed with the Fedora keys gives.  I suppose it's possible that the
package in #2 could be signed with the Fedora key, or that the key
could be imported via some other method, but then my understanding is
that rpm doesn't check keys at install time.  Perhaps the procedure
could be complicated a bit to give the benefits of proper key
retrieval; I'm not sure.

Now, what's the difference between putting the repository in the
fedora-release package and putting it in this mythical other package?
Well, it's another layer of stuff the user has to do in order to get
that repository on the system, which could potentially alleviate some
of the concerns of the people who don't want modules at all.  In that
package you could do additional things like, say, add some boot
messages or some display on the GDM login screen indicating that the
unsupported module repository was enabled.  Let your imagination run
wild.

 - J<

More information about the advisory-board mailing list