How to handle upstreams with bundled libs (Was Re: December 2010 Fedora Election Plan)

Thu Oct 28 23:50:15 UTC 2010

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I'm intentionally breaking the thread because I want this email to be
read and comprise a formal request for Board consideration, specifically
item 2 below.

On 10/28/2010 07:36 AM, Jeroen van Meeuwen wrote:
> Toshio Kuratomi wrote:
>> On Wed, Oct 27, 2010 at 07:40:37PM -0600, Stephen John Smoogen wrote:
>>> On Wed, Oct 27, 2010 at 19:00, Jeroen van Meeuwen <kanarip at kanarip.com>
> wrote:
>>>> Matt Domsch wrote:
>>>>> I'm sensing a growing frustration from some of the people who have
>>>>> been heavily involved in Fedora for a long time, a sense of burnout.
>>>>> We've all felt it from time to time.  The lack of people stepping
>>>>> forward to take on leadership tasks, such as the Spins SIG leader, the
>>>>> election coordinator, and similar is concerning to me.  Am I alone in
>>>>> this?
>>>>
>>>> No you're not.
>>>>
>>>> I can't explain why concisely but Fedora was and is no longer an
>>>> awesome engineering platform where I could Get Things Done.
>>
>> Actually, I think this pretty concisely describes my burnout.  It's
getting
>> harder and harder for things to get done.  (Yes, I realize this
coming from
>> the person that has to play the bad guy about bundled libraries all the
>> time keeping packages out but... I've recently asked if we should relax
>> those guidelines since it seems that no one wants to enforce them
>> consistently.)
>>
>
> Wow, this is huge;
>
> We all know *why* our guidelines and rules set out the boundaries of
the road
> to salvation, and they *are* superior to any other distribution.
Really, I
> think they do and that they are. We have the most savvy people in this
world
> working on these things continuously, and while I may not understand
some of
> them, I trust these people. I think we should stick with them
guidelines as
> much as possible. "As much as possible" being the key words in that
sentence.
>
> We seem to lack the willingness to seek compromise in many aspects;
case in
> point here is bundled libraries, but more in general we seem to lack the
> formerly existing attitude of "Hell yeah. How?" - I'm afraid it has
become
> "Why? If ..., and if ... Euh... No."
>
> Example case in point is rubygem-passenger, shipping a bundled, forked
and
> modified legacy version of the boost C-library. Bad, bad, bad.
>
> I can't fix it. I'm a terrible C coder. Nobody looking at reviews can
fix it
> before the end of dawn, and only after it's fixed it would be accepted
as a
> package.
>
> This means that meanwhile, thousands of us downstream consumers run
rubygem-
> passenger customly built, packaged (maybe) and deployed to production,
> whatever was the latest version when someone had a chance to look for
updates.
> Bad, bad, bad. Very bad.
>
> I think a better sustainable route is to allow the package to get in,
and log
> massive amounts of bugs against it to fix what would then be ending up on
> many, many systems; The effect is downstream consumers run in circles
less and
> less because they do not have to build and deploy the foo on their own
and the
> Fedora Project (or the Red Hat Bugzilla) becomes the tip of the point
of all
> that momentum. *I* think that's worth balancing off road-to-salvation-
> guidelines vs. actually-might-get-it-done-proper.
>
> However, more relevant to my previous post; If I had the slightest
impression
> I could improve this in the Fedora Project, hell I'd run for FESCo
with solely
> this agenda item. I've not ran for FESCo, so guess what my impression is.
>
> Fedora Project may not even know or ever hear its throwing up roadblocks
> simply by de-motivation on the account of prior roadblocks having been
thrown
> up whether any individual within the project or the project itself
thinks of
> these as actual roadblocks.
>
> Yes, it's mostly eager, savvy, renegade, stubborn, visionary and/or more
> established contributors running into these kinds of things -but it's
also the
> group of people you can safely assume will do the right thing given a
level of
> compromise to be sought or dare I say it, free reign.
>

Just for the record, in most cases there IS a middle ground. Take a look
at the hard work Spot's been putting into packaging Chromium in his
private repository. It's not ready for Fedora proper because Google
still insists on packaging its own versions of certain system libraries,
but it's slowly getting there. Spot is helping a great deal by stripping
out those libraries that he can and helping Google's upstream become
aware of the problem that those bundles represent.

In the case of packages like rubygem-passenger (which I will admit
freely to having no in-depth knowledge of), there are a couple
approaches that could be taken.

1) We have the
http://fedoraproject.org/wiki/Packaging/SourceURL#When_Upstream_uses_Prohibited_Code
rules in the Packaging Guidelines for a reason. A party interested in
seeing a package in Fedora proper could work towards stripping out the
bundling requirement in the source tarball, then package that up as
described above. Naturally, any changes made to accomplish this should
be submitted back upstream in order to improve the product for everyone.

2) In the cases where this is completely impossible without extensive
upstream work, we should rewrite the rules around the use of
http://fedoraproject.org/wiki/Fedorapeople_Repos repositories to allow
such packages in an unofficial capacity. Right now, they require an
agreement that all packages being hosted meets with Fedora Packaging
Guidelines in full, but I suspect that the Board could consider reducing
this restriction to "In compliance with Fedora Legal guidelines"
instead. So we could at least have a central semi-official repository
where these packages could be made available to those who need them
(separate from Fedora and unsigned so those using them *know* they're
not official or fully-supported) while efforts are made to bring the
project into full compliance, at which time it should become an official
package.

For the record, I *am* running for a seat on FESCo, and I'd be willing
to back this proposal up.

- -- 
Stephen Gallagher
RHCE 804006346421761

Delivering value year after year.
Red Hat ranks #1 in value among software vendors.
http://www.redhat.com/promo/vendor/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkzKDDcACgkQeiVVYja6o6NSGgCePnp7cWCNxg9OZsYta5jYbQle
sIUAn2amRwUWOBCW7jb/H3Z/OhJgtily
=kDwH
-----END PGP SIGNATURE-----