half baked idea for further baking: "fedora-ugly" repo

Honza Horak hhorak at redhat.com
Tue Feb 11 18:53:14 UTC 2014


On 02/11/2014 07:35 PM, Matthew Miller wrote:
> On Tue, Feb 11, 2014 at 03:04:12PM +0100, Tadej Jane┼ż wrote:
>> Generally, a big +1 from me for the idea.
> [still tired from travel. longer reply later. deleting all of message
> except the one point I want to respond to now...]
>
>> I think we should define a small core policy (e.g. non-conflicting with
>> packages in Fedora's main repo, no over-riding of packages in Fedora's
>> main repo, licenses compatible with Fedora) and have an automated way to
>> check and enforce it. Having a manual review process would unnecessarily
>> slow the process of populating this repository.
>
> I'm afraid that this becomes an easy route for malware into the distribution
> if we don't have a human check. Obviously that can't be perfect either but
> it raises the bar significantly.

I'm not sure that significantly is correct. It's not such a big problem 
now to package some sane code, go through formal review and then change 
the code to malware. As far as there is some quick "stop" button, I'd be 
ok with automatic reviews.

Honza



More information about the env-and-stacks mailing list