Packaging 3-rd party repositories in rpmfusion

Ralf Corsepius ralf.corsepius at
Mon Feb 3 02:14:08 CET 2014

[2nd attempt to answer to this. My initial response from quite a while 
age seems to have gone lost.]

On 01/29/2014 12:12 PM, Alec Leamas wrote:
> Formally, this is about review request 3152 for dropbox-repo [1]. From
> a more practical POV, it's about users being able to install software
> like dropbox more or less "out of the box", an area where I think we
> really need to improve (as can be seen in all those "Fedora XX post
> installation guide" out there).
> My basic understanding is that current Fedora guidelines needs a
> interpretation in the rpmfusion context. Those brand new GL for 3-rd
> party repos are in [2] (discussions in [3]). For now, I think they can
> be abridged to:
> - Non-free repos can not be part of Fedora yum configuration.
> - In some cases free repos can be part of the configuration after
> FESCO/Fedora legal approval.
> Now, IMHO this doesn't really make much sense for rpmfusion for three reasons:
> - rpmfusion does not ban non-free software, it's one of the very
> reasons it exists.
> - FESCO/Fedora legal cannot approve anything in rpmfusion.
> - We already have a list of endorsed 3-rd party repos [4].
> To handle this, my simple proposal is that we handles packaged yum
> repositories like this:
> - It's ok to package yum repositories listed in [4].
> - If anyone wants to change the list in [4] this should be announced
> here on rpmfusion-devel, and not done until we agree on it (similar to
> how we handle bundling exceptions).
> Thoughts. out there?

All in all, I am not OK with rpmfusion shipping other party's repos, 
because such repos are out of Fedora's/Rpmfusion's control/influence.

They open up an arbitrary amount of opportunities for these 3rd parties 
to break, corrupt and damage Fedora installations (Package conflicts, 
low quality packages, malware, spyware, intruded/dead/broken 3rd party 
servers, etc), without Fedora/RPMfusion being able to do anything 
against it.

In other words, I'd recommend not doing so, because you guys are likely 
to be facing very tough times in cases something goes wrong with these 
"endorsed 3rd party repos".


More information about the rpmfusion-developers mailing list