RFC: Proposal for a more agile "Fedora.next" (draft of my Flock talk)

[Matthew Miller]

On Mon, Jul 22, 2013 at 04:29:20PM +0200, Michael Scherer wrote:
> > And third, by increasing our engagement upstream, we can reduce our own
> > work. For example, right now RubyGems.org doesn't do any validation of
> > licenses, basic review for malware, or gem signing. If we knew that this
> > basic diligence was happening upstream, we could extend our circle of
> > trust. We've long had the mantra of "upstream! upstream! upstream!" for
> > code and patches — we can do the same thing for packaging, for the same
> > reasons and for similar benefits. (But to do that, we need to work with
> > upstream packaging formats rather than demanding RPM — because
> > experience shows that that doesn't work.)
> I am quite doubtful about this part.
> What interest most people pushing gems to github or anywhere is the low
> barrier of entry. By pushing our contraints upstream directly, I think
> we may go against the wish of those developers. 

We don't have to do it in a way that limits the barrier to entry. We can
create a second level where certain gems are reviewed and signed, and a path
to move to that level. Then, we can start demonstrating the advantages of
being there.


[Rest of message snipped, but only because it's all very good points to
which right now I can only nod.]

-- 
Matthew Miller  ☁☁☁  Fedora Cloud Architect  ☁☁☁  <mattdm at fedoraproject.org>