Packaging 3-rd party repositories in rpmfusion

Xavier Bachelot xavier at bachelot.org
Tue Feb 4 09:42:15 CET 2014


On 02/03/2014 11:04 PM, Alec Leamas wrote:
> On 2/3/14, Hans de Goede <j.w.r.degoede at gmail.com> wrote:
>> Hi,
>>
>> On 02/03/2014 10:03 PM, Thorsten Leemhuis wrote:
>>> Hi!
>>>
>>> On 03.02.2014 10:52, Hans de Goede wrote:
>>>> On 02/03/2014 02:14 AM, Ralf Corsepius wrote: [...]
>>>>> In other words, I'd recommend not doing so, because you guys are
>>>>> likely to be facing very tough times in cases something goes
>>>>> wrong with these "endorsed 3rd party repos".
>>>> +1
>>>
>>> RPM Fusion is something most Fedora users will enable, so IMHO it's
>>> the ideal place to give users something at hand to reach software that
>>> can't be in Fedora or RPM Fusion for various reasons â EURO " flash player
>>> for example.
>
> On  a sidenote, flash is already available as lpf-flash-plugin. But
> that's another story.
>
>>> Packages with repo files otoh might not be best way. I guess the best
>>> way forward would be a small app that points out the risks and
>>> explains that RPM Fusion is not responsible for content from other
>>> repos; if the users ACks that let the app put repo file in place.
>>>
>>> Just my 2 cent because I always wanted something like the above. Ohh,
>>> and because my name came up recently in this discussion, as one of
>>> those that was (is?) considered to be on the (inactive) RPM Fusion
>>> steering committee. Might be wise to set up a new one. I'm fine if
>>> those that are most active simply organize something and put it in
>>> place, you have my blessing. If that's not enough: if you want a
>>> official vote or something else from me just let me know when and
>>> where to give what's needed ;-)
>>
>> +1 to all of the above, I too am fine with some app to enable
>> additional repos or some such, I just don't like any form of
>> "yum install" automatically enabling new out of our control
>> repos.
>>
>> Regards,
>>
>> Hans
>
> Hi,
>
> +1 also from me.  I'll  update system-config-repo to handle packaged
> repos in a way forcing user to confirm the actual copying to
> /etc/yum.repos.d before it's done. Shouldn't be a big deal, I've had
> it in mind while hacking it up.
>
> To clarify, this means that also I agree on that some magic enabling
> of an external repo just by installing a package isn't really a good
> idea.
>
+1 for system-config-repo, user interaction is much better than silent 
enablement of repositories on package installation. I would just like a 
feature to remove all packages coming from a given repo when it is 
disabled by the user, in order not to left installed packages that will 
not receive (security) updates anymore.

Also, iirc, some repos are providing packages with known security flaws. 
While some users might need these repo/software for good or bad reasons, 
they should be warned to be extra careful. I'm thinking of AcrobatReader 
here, but there might be others.

> Unless there is more input in this thread  I will  update
> system-config repo and make corresponding changes to my review
> request. Then  we'll see if someone has the nerves the actually do the
> review :)
>
> Thanks for all input!
>
> Cheers,
>
> --alec
>
Regards,
Xavier


More information about the rpmfusion-developers mailing list