Packaging 3-rd party repositories in rpmfusion

Wed Feb 5 10:50:25 CET 2014

On 02/03/2014 01:07 PM, Alec Leamas wrote:
> n 2/3/14, Xavier Bachelot <xavier at bachelot.org> wrote:
>> On 02/03/2014 10:52 AM, Hans de Goede wrote:
>>> Hi,
>>>
>>> On 02/03/2014 02:14 AM, Ralf Corsepius wrote:
>>>> [2nd attempt to answer to this. My initial response from quite a while
>>>> age seems to have gone lost.]
>>>>
>>>> On 01/29/2014 12:12 PM, Alec Leamas wrote:
>>>>> Formally, this is about review request 3152 for dropbox-repo [1]. From
>>>>> a more practical POV, it's about users being able to install software
>>>>> like dropbox more or less "out of the box", an area where I think we
>>>>> really need to improve (as can be seen in all those "Fedora XX post
>>>>> installation guide" out there).
>>>>> [cut]
>>>>>
>>>>> To handle this, my simple proposal is that we handles packaged yum
>>>>> repositories like this:
>>>>> - It's ok to package yum repositories listed in [4].
>>>>> - If anyone wants to change the list in [4] this should be announced
>>>>> here on rpmfusion-devel, and not done until we agree on it (similar to
>>>>> how we handle bundling exceptions).
>>>>>
>>>>> Thoughts. out there?
>>>>
>>>> All in all, I am not OK with rpmfusion shipping other party's repos,
>>>> because such repos are out of Fedora's/Rpmfusion's control/influence.
>>>>
>>>> They open up an arbitrary amount of opportunities for these 3rd
>>>> parties to break, corrupt and damage Fedora installations (Package
>>>> conflicts, low quality packages, malware, spyware,
>>>> intruded/dead/broken 3rd party servers, etc), without Fedora/RPMfusion
>>>> being able to do anything against it.
>
> Noone is arguing for "an arbitrary amount of opportunities" ,

Well, I am.

Installation of rpms is performed by root, i.e. package installation is 
maximum insecure, i.e. allowing any repository an expression of maximum 
trust to a repository provider by each user.

=> Any arbitrary repository provider is granted 100% control over a 
system == "an arbitrary amount of opportunities".

It's the reason why we tell users to only install from trusted sources 
(== repositories) and not to pick up random packages from the net. It's 
one of the key points which had assured safety of Linux over the years 
and which makes *the* key difference to other OSes (esp. Win and Android).

It's this rationale, why I consider adding the idea to add 3rd parties 
to Fedora or RPMFusion to be a truely stupid idea.

> This is a valid concern, although I don't think it should be enough to
> block any packaging attempt.
>
> We could change things so that the files are shipped in /usr/whatever
> and only "activated" i. e., copied to /etc/yum.repos.d  after some
> kind of dialog where user accepts this (perhaps with a warning text
> like above). Would this improve the situation?
Sightly - It would at least shift responsibility to the user.

However it depends much on packaging details.

E.g. how do you want to copy with rpm file ownership on files below 
/etc/yum.repos.d/*.repo and conflicts between such files being shipped 
by upstream-rpms (rpmfusion, adobe do so), non-rpm-upstreams (e.g. 
google-chrome does so) and manually written ones.

>> I'm in agreement with Ralf too.
>> imho, one of the biggest "selling point" for repositories like RPM
>> Fusion is the insurance the Fedora packaging guidelines are enforced and
>> thus the packages will integrate properly with the remaining of the
>> ecosystem.

Exactly. It is the selling point and the point behind telling people not 
to use repositories which do not care about it (e.g. rpmforge or atrpms).

>  From a poilicy point of view current Fedora guidelines on this (which
> we should comply to ?!) is really more or less a full page about
> conditions when packaging of external repositories is acceptable or
> not.
Which page are you referring to? One of these recently written pages to 
"embrace 3rd parties"?

My personal position is clear: A stupid idea, whose only purpose is 
populism.

With my FPC head on: We do not allow 3rd party repos in Fedora, because 
Fedora can't cope with them on the legal and on the technical sides.

In this light, as I understand, RPMFusion is trying to fill this gap.

> Practically, I feel that some of these arguments seems based on that
> all external repos are equal. However, they differ a lot. Leaving the
> list of "endorsed" repos aside (that list might very well be a Bad
> Idea anyway), how does these arguments apply the dropbpox repo (which
> only carries the leaf application dropbox). E. g., what's the risk
> that this application would destabilize the overall system?
As I said before, any arbitrary package has all opportunities to comit 
any possible kind of damage to your system - The set of possible 
imaginable scenarios is infinite.

Ralf