n 2/3/14, Xavier Bachelot <xavier(a)bachelot.org> wrote:
On 02/03/2014 10:52 AM, Hans de Goede wrote:
> Hi,
>
> On 02/03/2014 02:14 AM, Ralf Corsepius wrote:
>> [2nd attempt to answer to this. My initial response from quite a while
>> age seems to have gone lost.]
>>
>> On 01/29/2014 12:12 PM, Alec Leamas wrote:
>>> Formally, this is about review request 3152 for dropbox-repo [1]. From
>>> a more practical POV, it's about users being able to install software
>>> like dropbox more or less "out of the box", an area where I think
we
>>> really need to improve (as can be seen in all those "Fedora XX post
>>> installation guide" out there).
>>>[cut]
>>>
>>> To handle this, my simple proposal is that we handles packaged yum
>>> repositories like this:
>>> - It's ok to package yum repositories listed in [4].
>>> - If anyone wants to change the list in [4] this should be announced
>>> here on rpmfusion-devel, and not done until we agree on it (similar to
>>> how we handle bundling exceptions).
>>>
>>> Thoughts. out there?
>>
>> All in all, I am not OK with rpmfusion shipping other party's repos,
>> because such repos are out of Fedora's/Rpmfusion's control/influence.
>>
>> They open up an arbitrary amount of opportunities for these 3rd
>> parties to break, corrupt and damage Fedora installations (Package
>> conflicts, low quality packages, malware, spyware,
>> intruded/dead/broken 3rd party servers, etc), without Fedora/RPMfusion
>> being able to do anything against it.
Noone is arguing for "an arbitrary amount of opportunities" , at least
not I. My overall idea is still that the overall rule should be that
external repo packaging is forbidden. But, like for bundling, there
should be exceptions.
>> In other words, I'd recommend not doing so, because you
guys are
>> likely to be facing very tough times in cases something goes wrong
>> with these "endorsed 3rd party repos".
>
> +1
>
> Regards,
>
> Hans
This is a valid concern, although I don't think it should be enough to
block any packaging attempt.
We could change things so that the files are shipped in /usr/whatever
and only "activated" i. e., copied to /etc/yum.repos.d after some
kind of dialog where user accepts this (perhaps with a warning text
like above). Would this improve the situation?
I'm in agreement with Ralf too.
imho, one of the biggest "selling point" for repositories like RPM
Fusion is the insurance the Fedora packaging guidelines are enforced and
thus the packages will integrate properly with the remaining of the
ecosystem.
[cut]
From a poilicy point of view current Fedora guidelines on this (which
we should comply to ?!) is really more or less a full page about
conditions when packaging of external repositories is acceptable or
not. If rpmfusion should conclude not to package *any* repository,
this would be a (much?) more restrictive rule than current Fedora
guidelines. Is this reasonable?
As for legal spot has concluded that packaging a repository carries a
substantially smaller risk than repacking other parties sw (which is
what lpf is all about). Link in first post, discussions.
Practically, I feel that some of these arguments seems based on that
all external repos are equal. However, they differ a lot. Leaving the
list of "endorsed" repos aside (that list might very well be a Bad
Idea anyway), how does these arguments apply the dropbpox repo (which
only carries the leaf application dropbox). E. g., what's the risk
that this application would destabilize the overall system?