Upstream developers mainting there own package in Fedora and nothing else

Hans de Goede j.w.r.degoede at hhs.nl
Mon May 5 10:36:49 UTC 2008 

Michael Schwendt wrote:
> On Mon, 05 May 2008 10:27:14 +0200, Hans de Goede wrote:
> 
>> Hi All,
>>
>> After the sponsor discussion we recently had, I decided I've been neglecting 
>> the sponsoring and went and took a look at the FE-NEEDSPONSOR queue.
>>
>> One of the reviews this has got me involved in is fpm2:
>> https://bugzilla.redhat.com/show_bug.cgi?id=444830
>>
>> This review is special as the upstream developer is submitting the package, and 
>> he has stated that for now he has no interest in doing other Fedora work.
>>
>> I believe that it is good to have upstream maintain packages for there own 
>> software, even if that is the only thing they do within Fedora, so I've 
>> proposed the following procedure to the submitter:
>>
>> --
>>
>> Ok, we currently don't really have any special rules for an upstream maintainer 
>> becoming a maintainer of its own software within Fedora, but this is definitely 
>> something we want. So I would like to propose the following:
>>
>> 1 I review fpm2, you make any necessary changes etc, until I approve fpm2
>> 2 Once fpm2 is approved you can request cvsextras membership in the account-
>>    system and I'll sponsor you
>> 3 Given that you're new at packaging I'll then co-maintain fpm2 with you
>>    (mostly looking over your shoulder I'm more then busy enough as is).
>> 4 Please refrain from touching other peoples packages as you've not been
>>    through the normal showing the ropes process involved in sponsering
>> 5 If you want to submit another package please let me know then we can continue
>>    the sponsor process there.
>>
>> Does this sound like a plan?
>>
>> --
>>
>> And now I'm wondering what others think of this and if maybe we should get some 
>> kinda special procedure for this?
> 
> My first thought was "do we really need policies for everything"?
> 

I hear you, and I agree less is more when it comes to policies.

> Can't we just say that the sponsors have permission to approve accounts
> so new contributors may join and get productive?

Agreed,

> If you agree with an upstream developer on maintaining a package in Fedora,
> either alone or with you as co-maintainer, does it matter how you do it?
> 

Well there always is this problem of someone becoming malicious, I guess if 
someone really wants to he can easily just follow the normal process, so do a 
couple of new packages and a couple of reviews, but this is lowering the 
barrier to entry, which I'm fine with, but I atleast want others to know about 
this and shout "NOOO" before continuing with this.

> You just need to be careful with premature approval of a package+account
> from somebody, who only follows Fedora Packaging guidelines reluctantly
> during review and later drops the ball. With reasons that may or may not
> have to do with Fedora or its bureaucracy. Then you would need to continue
> maintaining the package yourself or orphan it. For temporary volunteers
> it's too easy to leave the project and leave behind work, which other
> people may need to pick up because of dependencies. As long as we have an
> increasing collection of guidelines and policies in a Wiki that gives the
> feeling of a maze, Fedora is not just another platform which you can throw
> at a multi-distribution spec file that doesn't adhere to the policies.
> Every package in Fedora demands interest in creating a package that
> meets the guidelines and in using the Fedora-specific tools to build
> and publish the rpms. It's beneficial if an upstream developer, who
> wants to maintain his software in Fedora, actually uses Fedora *and*
> the packaged software. Eexcept if Fedora gives reason to be unhappy,
> that bears a risk.
> 

Someone leaving again soon after joining is not my biggest worry, either 
someone lese picksup his/her packages, or they get orphaned and removed from 
the next release.

>> This has lead to me thinking that we really 
>> need the special new contributer group which was proposed by I believe Jesse, 
>> which is to be a special group for new contributers which would not give them 
>> access to anything outside their own packages.
> 
> Do you want to prevent accidents? Or do you want to reduce the privileges
> of possibly malicious users?

Both but mainly the second (malicious users).

> Any packager plays with fire if he touches
> things other than his own packages. And even if new contributors in a
> special group are locked down to their own packages, access to the build
> system is the crucial point.
> 

True, I forgot about a number of ways to make any package wreck havoc once in 
the repo, so someone truely malicious can wreck havoc as soon as he/she can 
push packages to the repo. Which really just leaves the accident problem, and 
that doesn't have me worried so much.

Regards,

Hans

More information about the devel mailing list