Language specific mirrors for Fedora Playground compliant packages

[Nick Coghlan]

As mentioned in my self-introduction email, I'm interested in the idea
of filtered Fedora provided mirrors of PyPI/RubyGems/etc that contained
only packages that had been through Fedora Playground levels of review.

Having such selective mirrors available would mean that we could freely
choose between using the language level packaging tools and RPMs on a
project by project basis without having to recheck the licenses
ourselves. It would also provide a way for us to easily share the
results of our own licensing reviews when we bring in new dependencies
from upstream.

I believe this approach would also set up a good pipeline for bringing
new packages into Fedora:

Step 1: basic review
- if the package is even remotely acceptable to Fedora (e.g. suitable
license, not actively malicious), then flag it for inclusion in the
appropriate language specific mirror

Step 2: draft spec file
- make an initial cut at a spec file (e.g. autogenerated)
- provide as a COPR repo
- include in Fedora Playground

Step 3: full packaging policy compliance
- iterate on the spec file and the package to attain policy compliance
- incorporate into Fedora itself

Does this sound like an approach worth pursuing?

In the specific case of Python, devpi is an existing project that I
believe would be eminently suitable to providing a service like this
(using the whitelisting feature to indicate packages which had been
checked for Fedora Playground policy compatibility): http://doc.devpi.net/

Regards,
Nick.

-- 
Nick Coghlan
Red Hat Hosted & Shared Services
Software Engineering & Development, Brisbane

HSS Provisioning Architect