Packaging 3-rd party repositories in rpmfusion

[Xavier Bachelot]

On 02/03/2014 10:52 AM, Hans de Goede wrote:
> Hi,
>
> On 02/03/2014 02:14 AM, Ralf Corsepius wrote:
>> [2nd attempt to answer to this. My initial response from quite a while
>> age seems to have gone lost.]
>>
>> On 01/29/2014 12:12 PM, Alec Leamas wrote:
>>> Formally, this is about review request 3152 for dropbox-repo [1]. From
>>> a more practical POV, it's about users being able to install software
>>> like dropbox more or less "out of the box", an area where I think we
>>> really need to improve (as can be seen in all those "Fedora XX post
>>> installation guide" out there).
>>>
>>> My basic understanding is that current Fedora guidelines needs a
>>> interpretation in the rpmfusion context. Those brand new GL for 3-rd
>>> party repos are in [2] (discussions in [3]). For now, I think they can
>>> be abridged to:
>>> - Non-free repos can not be part of Fedora yum configuration.
>>> - In some cases free repos can be part of the configuration after
>>> FESCO/Fedora legal approval.
>>>
>>> Now, IMHO this doesn't really make much sense for rpmfusion for three
>>> reasons:
>>> - rpmfusion does not ban non-free software, it's one of the very
>>> reasons it exists.
>>> - FESCO/Fedora legal cannot approve anything in rpmfusion.
>>> - We already have a list of endorsed 3-rd party repos [4].
>>>
>>> To handle this, my simple proposal is that we handles packaged yum
>>> repositories like this:
>>> - It's ok to package yum repositories listed in [4].
>>> - If anyone wants to change the list in [4] this should be announced
>>> here on rpmfusion-devel, and not done until we agree on it (similar to
>>> how we handle bundling exceptions).
>>>
>>> Thoughts. out there?
>>
>> All in all, I am not OK with rpmfusion shipping other party's repos,
>> because such repos are out of Fedora's/Rpmfusion's control/influence.
>>
>> They open up an arbitrary amount of opportunities for these 3rd
>> parties to break, corrupt and damage Fedora installations (Package
>> conflicts, low quality packages, malware, spyware,
>> intruded/dead/broken 3rd party servers, etc), without Fedora/RPMfusion
>> being able to do anything against it.
>>
>> In other words, I'd recommend not doing so, because you guys are
>> likely to be facing very tough times in cases something goes wrong
>> with these "endorsed 3rd party repos".
>
> +1
>
> Regards,
>
> Hans

I'm in agreement with Ralf too.
imho, one of the biggest "selling point" for repositories like RPM 
Fusion is the insurance the Fedora packaging guidelines are enforced and 
thus the packages will integrate properly with the remaining of the 
ecosystem. Some other repositories, including some that are proposed for 
integration in RPM Fusion, are well known for theit low quality 
packaging, hence the need for smart tricks like lpf. I think this bears 
a high risk to backfire on unsuspecting users, and from my 
understanding, providing more lpf packages is probably a better 
solution, even if the maintenance cost is indeed higher.

Regards,
Xavier