[Proposal] Ring-based Packaging Policies

Vít Ondruch vondruch at redhat.com
Wed Feb 18 09:43:29 UTC 2015 

Dne 17.2.2015 v 17:18 Petr Pisar napsal(a):
> On 2015-02-17, Josh Boyer <jwboyer at fedoraproject.org> wrote:
>> On Thu, Feb 12, 2015 at 1:32 PM, Stephen Gallagher
>> <sgallagh at redhat.com> wrote:
>>> == Proposal ==
>>> With these things in mind, I'd like to propose that we amend the
>>> packaging policy by splitting it into two forms:
>> I think this needs to go beyond simple policy.  It needs some
>> buildsystem enforcement as well.
> [...]
>> With the definition you have here, I'm afraid we are going to be
>> constantly playing "is or isn't" on whether a package is core or not.
>> E.g. things get sucked into the install media due to dependencies and
>> nobody notices until it's time to trim the size.  It just doesn't seem
>> like this would scale, particularly since the distro is rather fluid.
>>
>> Perhaps instead the Base WG could come up with what they consider
>> core, and we could really stick to that?  Meaning, things in core
>> cannot Require packages outside of core at runtime.
> [...]
>> I'm OK with this if Ring packages land in a separated repo.  That
>> could be done by having a separate koji target that spits out things
>> into a rings repo.
>>
>> My concern here is that if everything (ring and core combined) lands
>> in the same koji tag and goes through koji just like packages do
>> today, we're going to wind up with a big mess.  Having dependencies on
>> ring packages is going to entangle things and make it very hard to
>> clean up later.
>>
> I agree.
>
> While it's tempting to "just tune policy a little" (i.e. reduce
> packaging guidelines), it's not enough. The implications are huge (from
> security, suistainability, trust point of view). My impression from
> reading this thread is people do not want mixed system.
>
> Why not to create a new repository with reduced policy as
> Stephen proposed with the one-way dependency rule (between current
> Fedora and the new easy-for-beginners repository)?
>
> If the repository was fully supported by Fedora project (package
> databse, dist-git, koji, bodhi, bugzilla) with yum/dnf configuration
> knowing the easy-for-beginners repository, then both groups
> (deniers and supporters of the mixed system) would be satisfied.
>
> After some time, we can evaluate if the easy-for-beginners repository is
> a viable solution (from all the points of view I listed above). If the
> reduced policy is really the golden solution, then we will witness
> spontaneous move of packages from Fedora to easy-for-beginners
> repository.
>
> -- Petr
>

What is wrong with using Copr for the "ring packages". It already works
just fine (may be BZ is missing). There are no reviews, no guidelines,
you can bundle ... I believe that everybody understands that while Copr
is supported by Fedora, you are using these packages on your own risk. I
can't imagine better state.


Vít

More information about the devel mailing list