[Bug 569] please gpg-sign repomd.xml files, enable repo_gpgcheck=1 in yum .repo files

Michael Schwendt mschwendt at gmail.com
Sun Apr 11 00:39:17 CEST 2010


On Sat, 10 Apr 2010 15:48:36 +0200, Thorsten wrote:

> >> IMHO)
> > RFEs like this are in need of _somebody_ to make decisions.
> 
> I would agree for most RFE's.
> 
> But not for this specific RFE: There is (afaics) no real downside for
> users. So there is not much to discuss IMHO, it just needs somebody to
> do it and work out the details -- and start a privte or public
> discussion in case problems emerge where a discussion and a decision is
> needed.
> 
> But discussing that without knowing that anybody will work further on it
> seems like a lot of wasted time for me.

Work on _what_? The bugzilla ticket has not seen any reply since May 2009.
No feedback, no discussion, no progress, no effort spent on researching
alternative solutions. Plus: koji+bodhi for rpmfusion has been mentioned
a year ago (or even before that), with no status updates or public discussion.

As where you see "a lot of wasted time", dunno. Lengthy discussions
are _not_ needed. (Though, somebody who will switch to koji+bodhi+mash
must consider the consequences, e.g. very likely increased maintenance
requirements). Time _is_ wasted, when after many months old/unchanged
software is still being used, and suddenly there is a need (or request)
to add something to it. Sometimes that means that months pass without
even small steps being made.

> > Where something sucks, it needs
> > somebody to say "we want to improve in that area" and to put something
> > onto an agenda (or call it "wishlist").
> 
> Maybe yes, but in RPM Fusion that IMHO didn't help much until now, as we
> are (afaics) to few people. Take the repoclosure scripts for example --
> it now years ago was definitely planed to run them after each push and
> you even did some groudwork to make it easy for our sysadmins to
> integrate (thx again for that), but they never got installed on our
> servers (and there were many situations where the lack of automated
> repoclosure scripts was discussed on this list, so it was never really
> forgotten).

Over the past months, I have replied to several people who had contacted
me about broken deps reports (even EPEL related once more). I've seen
nothing else than promises. No one has returned with specific questions
about yum-util's original repoclosure. No one has sent any feedback,
no one has shown any credible interest in creating broken deps reports
and/or in collaborating on related helper scripts (Python and/or bash).

Running repoclosure (the original one or the modified one) with
different options for different sets of repositories isn't a lot of
home work. It's a tool like many others (e.g. repoquery, repodiff).
Except that anyone, who really wants to start using it, will need
to give it a try and gain a little bit of experience while doing so.
The larger excercise has been to fix it, to port it (to Yum APIs),
to hack it -- and to keep helper/report scripts running -- but such
activity can be distributed between a tool's users and its developers.


More information about the rpmfusion-developers mailing list