FESCo decision on 3rd party repositories

Stephen Gallagher sgallagh at redhat.com
Thu Dec 12 12:53:52 UTC 2013 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 12/11/2013 05:58 PM, drago01 wrote:
> On Wed, Dec 11, 2013 at 10:55 PM, Josh Boyer
> <jwboyer at fedoraproject.org> wrote:
>> On Wed, Dec 11, 2013 at 4:50 PM, Elad Alfassa
>> <elad at fedoraproject.org> wrote:
>>> 
>>> 
>>> 
>>> On Wed, Dec 11, 2013 at 11:40 PM, Josh Boyer
>>> <jwboyer at fedoraproject.org> wrote:
>>>> 
>>>> On Wed, Dec 11, 2013 at 4:24 PM, Elad Alfassa
>>>> <elad at fedoraproject.org> wrote:
>>>>> 
>>>>> What is COPR?
>>>> 
>>>> It's a newly released platform for building personal RPM
>>>> repositories. Somewhat analogous to Ubuntu's PPAs.
>>>> 
>>>> http://copr.fedoraproject.org/ 
>>>> https://fedorahosted.org/copr/ 
>>>> https://fedorahosted.org/copr/wiki/UserDocs#FAQ
>>>> 
>>>> josh -- desktop mailing list desktop at lists.fedoraproject.org 
>>>> https://admin.fedoraproject.org/mailman/listinfo/desktop
>>> 
>>> 
>>> Interesting. We need to think and see how (and if) to integrate
>>> it with the desktop fedora experience. I wouldn't want
>>> gnome-software searching in all of these automatically.
>> 
>> Yes, agreed.  I was mostly thinking we wouldn't include them in
>> searches.
>> 
>>> Unless we get COPRs with proper metadata (an archive of all the
>>> appdata files they contain, perhaps) and meaningful
>>> description, I can't see a way for us to implement a good
>>> enough UI to browse and enable those from within the desktop
>>> environment.
>> 
>> Right.  Though if there is software contained in some that is
>> really useful, we could include specific repos from there.
>> 
>> Anyway, something that can be decided later.
> 
> Well there is nothing that can go in this repos that can't be in 
> Fedora right? (closed source is not allowed, patented is not
> allowed etc.)


That's not *strictly* true. Nothing can go into COPRs that wouldn't be
legally permissible in Fedora, but it has fewer restrictions than
Fedora proper (otherwise it would be redundant and useless).

A *non-exhaustive* list of things that could go into COPRs that
wouldn't be permissible (or at least recommended) in Fedora proper:

 * Packages that bundle their dependencies
 * Packages that provide a backwards-incompatible replacement for
something in Fedora (e.g. an experimental repo for the next version of
Ruby or OpenStack)
 * Packages that provide a version upgrade for a stable Fedora branch
(e.g. a Desktop environment)

All of these things would be legally acceptable in Fedora, but are not
politically or technically acceptable.


> So if anything those can be used for doing version updates but we
> must be careful to not break the system (what if the repo owner
> loses interested and stops updating it?) it would leave the users
> system in a kind of messy state.
> 

Yes, this is a risk that was identified at the FESCo meeting as well.
The current view is that FESCo and Legal should retain the right to
review any COPR before it can be made searchable by other tools
(gnome-software being the representative example). So we should
certainly *not* enable searching all possible COPR repos by default.
However, creating a whitelist (and a UI warning that they're getting
something not maintained by the Fedora Project) is probably fine.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlKpseAACgkQeiVVYja6o6O6mQCfYOJpcjeB+itq4roV9ZDOKdUS
m/IAoISk1lwnKXawiwX1uUaJR/mm5ZdG
=NrNt
-----END PGP SIGNATURE-----

More information about the desktop mailing list