QA process was Re: RPM submission procedure

Gene C. czar at czarc.net
Fri Jan 9 19:42:38 UTC 2004 

On Friday 09 January 2004 13:59, Michael Schwendt wrote:
> On Fri, 9 Jan 2004 20:05:06 +0200 (EET), Panu Matilainen wrote:
> > The amount of nitpicking trusted developers produce
> > (among themselves) is enough to scare off anybody starting in packaging
> > I'm willing to bet :)
>
> This must change, although often it is separated between suggestions and
> blocker criteria. But at the same time, new packagers should not come
> with slightly modified packages from e.g. Mandrake Cooker which bzip2 even
> the smallest patch, or generic packages which contain dozens of lines of
> conditional code which tries to adapt to a build environment.
>
> A fundamental problem is "packager mentality". If a packager has the
> impression that a QA person is the nitpicking bad guy who's nothing else
> than a PITA, then the whole concept of working together on a community
> maintained repository is doomed to fail. If on the other hand, the
> packager is at least a bit open for suggestions or established common
> practise, everything works better.

I agree about a change being needed.

Something that is unclear to me is the purpose of the QA.  If it is to ensure 
that the package is constructed properly, etc., then this make sense.  It it 
is targeting the software being packaged then I am sceptical that this is 
going to work.  Yes, some effort by packagers and reviewers should be made to 
address obvious security errors/problems.  But expecting a packager (as 
oppose to an upstream developer) to do everything is (IMHO) not going to 
work.  While source code audits can be useful, they are also very expensive 
and require highly skilled (and scarce) people to do them or the result is 
meaningless.

I also like the categorizing approach that Alex does for ATrpms.  If there is 
some expectation of having people actually test and QA some new packages, 
then there should be a place to put new packages ... reading bugzilla reports 
to find out about new packages just does not cut it.

I am hopeful that the Red Hat folks will speak on the Fedora Extras subject 
soon (their lack of comment is very noticeable).  Some of this discussion 
leads me to believe that the QA expectations (for fedora.us and Fedora 
Extras) exceeds that for Fedora Core packages by Red Hat.  Yes, I am sure 
that some packages get a lot of scrutiny (the kernel, glibc, gcc, etc.) but a 
lot do not (e.g., gftp).
-- 
Gene

More information about the devel mailing list