On 2/5/14, Ralf Corsepius <ralf.corsepius(a)gmail.com> wrote:
On 02/03/2014 01:07 PM, Alec Leamas wrote:
> n 2/3/14, Xavier Bachelot <xavier(a)bachelot.org> wrote:
>> On 02/03/2014 10:52 AM, Hans de Goede wrote:
>>> Hi,
>>>
>>> On 02/03/2014 02:14 AM, Ralf Corsepius wrote:
>>>> [2nd attempt to answer to this. My initial response from quite a while
>>>> age seems to have gone lost.]
>>>>
>>>> On 01/29/2014 12:12 PM, Alec Leamas wrote:
>>>>> Formally, this is about review request 3152 for dropbox-repo [1].
>>>>> From
>>>>> a more practical POV, it's about users being able to install
software
>>>>> like dropbox more or less "out of the box", an area where I
think we
>>>>> really need to improve (as can be seen in all those "Fedora XX
post
>>>>> installation guide" out there).
>>>>> [cut]
>>>>>
>>>>> To handle this, my simple proposal is that we handles packaged yum
>>>>> repositories like this:
>>>>> - It's ok to package yum repositories listed in [4].
>>>>> - If anyone wants to change the list in [4] this should be announced
>>>>> here on rpmfusion-devel, and not done until we agree on it (similar
>>>>> to
>>>>> how we handle bundling exceptions).
>>>>>
>>>>> Thoughts. out there?
>>>>
>>>> All in all, I am not OK with rpmfusion shipping other party's repos,
>>>> because such repos are out of Fedora's/Rpmfusion's
control/influence.
>>>>
>>>> They open up an arbitrary amount of opportunities for these 3rd
>>>> parties to break, corrupt and damage Fedora installations (Package
>>>> conflicts, low quality packages, malware, spyware,
>>>> intruded/dead/broken 3rd party servers, etc), without Fedora/RPMfusion
>>>> being able to do anything against it.
>
> Noone is arguing for "an arbitrary amount of opportunities" ,
Well, I am.
Installation of rpms is performed by root, i.e. package installation is
maximum insecure, i.e. allowing any repository an expression of maximum
trust to a repository provider by each user.
=> Any arbitrary repository provider is granted 100% control over a
system == "an arbitrary amount of opportunities".
It's the reason why we tell users to only install from trusted sources
(== repositories) and not to pick up random packages from the net. It's
one of the key points which had assured safety of Linux over the years
and which makes *the* key difference to other OSes (esp. Win and Android).
Agreed.
But we are not talking about random packages from the net. We
are talking about making it easy to install specific apps from some
selected repos.
It's this rationale, why I consider adding the idea to add 3rd
parties
to Fedora or RPMFusion to be a truely stupid idea.
Could you not at least agree on
that we actually have a trade-off
here? Many (most? almost all?) fedora/rpmfusion users want to use some
apps available from 3-rd party repos for various reasons. Not
supporting this at all forces them to apply random guides out there,
with all sorts of risks and problems. Supporting it also carries
risks, agreed. But I just don't think it's fair to call any position
about this "stupid".
> This is a valid concern, although I don't think it should be
enough to
> block any packaging attempt.
>
> We could change things so that the files are shipped in /usr/whatever
> and only "activated" i. e., copied to /etc/yum.repos.d after some
> kind of dialog where user accepts this (perhaps with a warning text
> like above). Would this improve the situation?
Sightly - It would at least shift responsibility to the user.
As of today, user
will face the dialog in [1]. This would IMHO make
user responsible.
However it depends much on packaging details.
E.g. how do you want to copy with rpm file ownership on files below
/etc/yum.repos.d/*.repo and conflicts between such files being shipped
by upstream-rpms (rpmfusion, adobe do so), non-rpm-upstreams (e.g.
google-chrome does so) and manually written ones.
As for dropbox-repo, the repo file is in a sub-package. The main
package requires the repo file directly. The result is that it will
use an already existing repo file without conflicts, more or less
just adding some metadata to it.
> From a poilicy point of view current Fedora guidelines on this
(which
> we should comply to ?!) is really more or less a full page about
> conditions when packaging of external repositories is acceptable or
> not.
Which page are you referring to? One of these recently written pages to
"embrace 3rd parties"?
My personal position is clear: A stupid idea, whose only purpose is
populism.
If populism is about making Fedora/rpmfusion a popular distribution,
then call me a populist. I can live with that.
With my FPC head on: We do not allow 3rd party repos in Fedora,
because
Fedora can't cope with them on the legal and on the technical sides.
Reading
current GL I cannot interpret them as a plain "We do not allow
3rd party repos in Fedora". If the rule was that simple, why a full
page of text with different cases?
From a technical POV, I cannot see the difficulties in adding a repo
file. Am I missing something here?
That said, of course much of these GL is about legal issues. As this
is where rpmfusion really differs, we certainly need to understand
what these GL means for rpmfusion. The current request complies to the
following to cope with the risks:
- User must enable it manually, after a disclaimer warning, as
required in the GL.
- The enabled repository is a "specific piece of free software"
according the the GL, besides being non-free.
- The repo file uses gpg verification and also a includepkgs=
condition to only enable the dropbox application.
To my understanding, taken together these conditions complies to the
current GL, interpreted in a rpmfusion context where we use handle
non-free software.
But in the end this is probably about a vision.
rpmfusion.org states
that it's about "simplify end-user experience by grouping as much
add-on software as possible in a single location". In my eyes, making
it possible to install the dropbox client fits well into this.
Cheers!
--alec
[1]
https://github.com/leamas/system-config-repo/blob/devel/screenshots/0-act...