Dist-git for Copr

Dennis Gilmore dennis at ausil.us
Sat Sep 6 15:07:30 UTC 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thu, 04 Sep 2014 17:34:57 +0200
Miroslav Suchý <msuchy at redhat.com> wrote:

> Hi,
> we (the Copr team) would like to allow uploading of source RPM to
> Copr. It seems that best way is to utilize dist-git [1]. Then Copr
> will fetch sources and spec file from dist-git and build SRC.RPM the
> same as Koji does now. And hopefuly you will be able to use fedpkg to
> interact with Copr.
> 
> I see two options available: Copr will have its own dist-git instance
> or we will share dist-git together with Fedora. There are pros and
> cons for both and I would like to summarize it.
> 
> 1) Copr will have its own dist-git instance
> Pros:
>   * no possible conflicts with Fedora
>   * installation of dist-git is tracken in ansible playbook in
> infra.git, so it should be straightforward (although Pavol Babincak -
> current maintainer of dist-git - claimed he had hard times to
> reproduce the installation) Cons:
>   * require additional machine (Fedora currently use 8GB RAM + 2 GB
> swap and 1 TB of disk)
>   * and additional maintance (although Pavol Babincak claims that
> there are no problems with running instance, he barely need to touch
> it)
Pavol is one of the maintainers he is not the only one.


> 2) Copr will share dist-git with Fedora
> Pros:
>   * no maintenance of new machine
>   * a lot of source are same and shared in look-aside cache (less
> data stored)
>   * technically easily possible. E.g. for package 'rpm' in Copr
> project msuchy/foo we can create branch 'msuchy/foo' of dist-git
> 'rpm'. There are separate ACLs for each branch, so owner of
> 'msuchy/foo' branch could not affect branch 'f20' and vice versa.
> Cons:
>   * dist-git use MD5 for checksum [2] therefore it can be practicaly
> possible to find collision with existing tar.gz and upload new
> version and Koji will use that file instead.
I do not see this as a huge issue

>   * Koji currently build from given SHA of commit of dist git and
> does not check if it is in correct branch. Therefore it can be
> theoreticaly possible to submit to Koji build from Copr branch. Afaik
> you still have to have ACL for that given branch in Fedora, so only
> Fedora package maintainer can do that and he obviously have no reason
> for that, but still... technicaly possible.
as long as the commit is in git anyone with a koji cert (i.e.
potentially anyone who has signed the fpca) can submit a build. until
we have ways to make sure builds are from an appropriate branch in koji
I will strongly oppose sharing of dist-git


> * Legal differences - users of Copr does not have to belong to
> CLA_DONE group. Can it make some problems? I do not know.
yes it can, I do not think we should accept contributions from people
who have not agreed to the fpca. I do not want to get into a situation
where a fedora maintainer pulled commits from a copr repo into Fedora
and we are being asked to remove them because they legally could not
contribute.

> Pavol suggested us to have our own instance. But I know there are a
> lot of people from infra, legal and other team, who can add something
> insightful before we start working on this.
> 
> [1] Although I heard one voice saying we should move from home brew
> code to more standardized git-annex [2] move to SHA is work in
> progress https://fedorahosted.org/rel-eng/ticket/5846
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBAgAGBQJUCyM2AAoJEH7ltONmPFDRHbIP/jxmr3wwWGwqxju1O6XncTac
DAPzSSrkUVHvDjdNVt8PCRkVPISGYheKKQubbMems6yC5WpdtncShuv8ww3Yx/+9
WE2ikaAkawi5klPgGkTY1xTBpRV+tmSLXdVd+8A7XS+G9NLpAvhqj+9/AF3F0GHJ
mTFZR6jVDE+elNN1DO+fQm88yi21zUie40YPPv8E5yE629PJM4GSwIrA+oqvIBjX
YJmXXvOvji9jtGV2hcB8+JVQLKi+n6zJZatRf22CPK9hYCue/AQNzzpMBcYF/nOi
WIdncqU10HPFGpJi4RqEfM0mq2Fl0DSP2zfdaD6zzheJCkeDydzUwmc8fD3M8Zcr
r0VmZg9l0zl/xwR5dVDlE4agwy1ijoY1PMBMBSIqNe4bUeFX6PxtcWyQk8K5QmQi
r1+vrTePo5M5+d7Mw9A4y2hsyuju14VB25JqgGoEpmE4gM0KXTXwaHbISDlEt8g7
AbM8VgiuHERrSvdEMHwLViaqN/07bVMNvsO0IvMS87UDzWWRkuIRuIe4QnJhppE7
aAMOzF5JqweSz6QyVdjTIhIAdjXimakJVCFiTyy5a/8BXMub60UFekXiYmG1/hdO
sSlNUnb54e0RtQqPW9/aQl2PxUyfpYy1tDGLF6K1k4TjIijSB6FIduaS2onnI8zm
DtJtenHmyz/WxhG1PDUa
=GXK3
-----END PGP SIGNATURE-----

More information about the devel mailing list