FESCo decision on 3rd party repositories

Matthias Clasen mclasen at redhat.com
Thu Dec 12 12:55:56 UTC 2013 

On Thu, 2013-12-12 at 07:12 -0500, Josh Boyer wrote:
> On Wed, Dec 11, 2013 at 10:41 PM, Matthias Clasen <mclasen at redhat.com> wrote:
> > On Wed, 2013-12-11 at 16:23 -0500, Josh Boyer wrote:
> >> On Wed, Dec 11, 2013 at 4:21 PM, Josh Boyer <jwboyer at fedoraproject.org> wrote:
> >> > Hi All,
> >> >
> >> > At the FESCo meeting today, the following things were decided on 3rd
> >> > party repositories.  Some of this is specific to COPRs because those
> >> > are an odd case of 3rd party repositories.
> >> >
> >> > 1) COPRs can provide RPMS with .repo files in them because Red Hat is
> >> > the provider and assumes liability, but those cannot be included in
> >> > the main Fedora repos per FESCo decree.
> >> >
> >> > 2) COPR repos may be searched for applications to install as long as
> >> > the user is explicitly asked to enable the copr before installing
> >> > packages from them.
> >> >
> >> > 3) General 3rd party repositories cannot be searched or enabled due to
> >> > liability concerns.
> >> >
> >> > (NOTE: "searched" in 2 and 3 was intended to cover searching by
> >> > software.  Clearly users can manually search for anything.)
> >> >
> >> > 4) FESCo is okay with pointing to specific free software repositories
> >> > in the same way as COPR repos if they are approved by FESCo and Fedora
> >> > Legal. They are not limited in the criteria that they can choose to
> >> > apply.
> >> >
> >> > 5) For non-free sofware repositories, FESCo is not changing exisiting
> >> > policy. Non-free software repositories are not allowed.  Permission to
> >> > make these discoverable via searching software would require a change
> >> > in policy from the Fedora Board.
> >> >
> >> > In short, this means products can request approval of specific 3rd
> >> > party free software repositories.  If approved, they can include their
> >> > contents along with COPR repos in application searches a user does and
> >> > offer to install them with a warning that they come from a 3rd party,
> >> > non-Fedora repo.  Repositories containing non-free software cannot be
> >> > enabled by default or made discoverable through software.
> >>
> >> The FESCo ticket documenting all of this is here:
> >> https://fedorahosted.org/fesco/ticket/1201
> >
> > The discussion in that ticket was focused almost entirely on coprs,
> > which are really not that relevant when it comes to third-party
> > software.
> 
> Mostly.  Yesterday's meeting covered the core of the third-party repo
> discussion not related to COPRs.
> 
> > I have no problem with the 'cannot be enabled by default' part of the
> > last sentence, but 'cannot be made discoverable' is bordering on
> > censorship - fesco does not get to decide what users do with their
> > fedora systems.
> 
> They haven't decided that.  They have stated that software packaged
> within Fedora cannot reference general 3rd party repositories that
> have not been approved.  As I noted above, there is clearly no method
> to stop a _user_ from searching for anything and I don't believe FESCo
> would want to prevent a user from doing anything they want with their
> system.  The restrictions in place are done to limit liability.
> 
> The non-free repo ban is less about liability and more about adhering
> to the Fedora project's philosophies as FESCo read them.
> 
> While not exactly unlimited freedom, overallthis is actually less
> restrictive than previous policies on 3rd party repos (which, in
> short, has been NO).
> 
> (small reminder: I am not on FESCo)
> 
> > Lastly: was any attempt made to invite Christian to the Fesco meeting ?
> > I find it somewhat questionable to decide this item while the main
> > proponent who is cc'ed in the ticket is on a plane to Lahore.
> 
> I will take partial blame for that, as I'm the WG liaison.  However,
> Christian has been rather busy for the past few months and has been
> silent on the ticket.  He and I have discussed this in detail
> elsewhere and I believe I understand what he was pushing for.  If he,
> or anyone else, would like further action or clarification, please let
> me know.

Thanks, Josh, I didn't know you had extensive consultation with
Christian on this. I'll let Christian speak for himself when he manages
to get back online.

And I guess we'll have to see how this new rule works in practice when
we get to talking about concrete cases.

More information about the desktop mailing list