[Proposal] Ring-based Packaging Policies

Thu Feb 12 21:49:13 UTC 2015

On Thu, 2015-02-12 at 20:18 +0100, Alec Leamas wrote:
> On 12/02/15 19:32, Stephen Gallagher wrote:
> > (Logistical note: please keep all replies to this thread on
> > devel at lists.fedoraproject.org)
> >
> > tl;dr Shall we consider requiring a lesser package review for packages
> > that are not present on Product or Spin install media?
> 
> 
> Thanks for bringing this up. We really need to do something about this, 
> and the proposal is likely to get things rolling.
> 
> This is really about two things, right? A "lighter review" and a general 
> bundling exception for packages not in the core (?)
> 

Ultimately, it's about one thing: Help get more software into Fedora
without scaring people away. The ultimate goal being that Fedora becomes
(remains!) a leader in the distribution of open source software.

> As for the bundling exception I more or less just agree. One detail 
> might be to add some text about not having bundled libraries in system 
> locations, and not exporting (filtering) them.
> 

That's an interesting point. Though it's somewhat academic as most
packages that bundle are usually carrying an internal copy (either
statically linked or stored in a package-private location).

There's one other piece to bundling that I neglected to mention in my
original email that was brought up at DevConf.cz: bundling also means an
increase in memory and disk usage, since the bundled lib will
effectively be loaded multiple times into memory. I'm personally of the
opinion that this is a lesser issue, given that memory and disk space
gets cheaper every day, but it *is* a disadvantage and should be noted.

> As for the "lighter review" this is not so clear to me. I agree that we 
> need to relax the review, but:
> 
>    - Wouldn't it feel a little more comfortable to list the exceptions 
> we allow compared to a regular review rather than starting with just 
> some broad statements what the review is?
> 

Yeah, I didn't want to get *too* specific in this original email. I
wasn't setting out to write new guidelines, just get a feel for whether
people thought this was worth exploring in greater detail.

>    - Shouldn't we make a distinction between 'review' and 'pass'. E. g., 
> even if we allow bundled libs, we should definitely review and locate 
> them. Isn't the situation similar for other things: while we still 
> review them, things that are blockers in ring 0 could pass in ring 1?
> 

Well, I tried to cover that by noting that all bundling still had to
have the virtual "Provides: bundled(pkg)" which therefore implies that
someone has done this search. Formal review guidelines should enforce
this, I guess. I don't want the review to be *too* strict or we will end
up where we are now, with many reviews sitting in neverland for a long
time because it's a significant time commitment to perform one.

> Colin walters wrote:
> 
> > Anyways, something I think is missing from here is more
> > details on how this "on the install media set" distinction
> > is maintained over time.  If it isn't separate (yum) repositories
> > it seems like it's going to be hard to enforce.
> 
> 
> A virtual provides in all ring 1 packages?

That would still be manual, so I'm not sure how it would help. The best
we can hope for is to write some tools to compare the compose trees and
notice if anything changes between two composes. If something new
appears, it should be flagged for review.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: This is a digitally signed message part
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20150212/a737d623/attachment.sig>