Packaging 3-rd party repositories in rpmfusion
ralf.corsepius at gmail.com
Wed Feb 5 10:50:25 CET 2014
On 02/03/2014 01:07 PM, Alec Leamas wrote:
> n 2/3/14, Xavier Bachelot <xavier at bachelot.org> wrote:
>> On 02/03/2014 10:52 AM, Hans de Goede wrote:
>>> On 02/03/2014 02:14 AM, Ralf Corsepius wrote:
>>>> [2nd attempt to answer to this. My initial response from quite a while
>>>> age seems to have gone lost.]
>>>> On 01/29/2014 12:12 PM, Alec Leamas wrote:
>>>>> Formally, this is about review request 3152 for dropbox-repo . From
>>>>> a more practical POV, it's about users being able to install software
>>>>> like dropbox more or less "out of the box", an area where I think we
>>>>> really need to improve (as can be seen in all those "Fedora XX post
>>>>> installation guide" out there).
>>>>> To handle this, my simple proposal is that we handles packaged yum
>>>>> repositories like this:
>>>>> - It's ok to package yum repositories listed in .
>>>>> - If anyone wants to change the list in  this should be announced
>>>>> here on rpmfusion-devel, and not done until we agree on it (similar to
>>>>> how we handle bundling exceptions).
>>>>> Thoughts. out there?
>>>> All in all, I am not OK with rpmfusion shipping other party's repos,
>>>> because such repos are out of Fedora's/Rpmfusion's control/influence.
>>>> They open up an arbitrary amount of opportunities for these 3rd
>>>> parties to break, corrupt and damage Fedora installations (Package
>>>> conflicts, low quality packages, malware, spyware,
>>>> intruded/dead/broken 3rd party servers, etc), without Fedora/RPMfusion
>>>> being able to do anything against it.
> Noone is arguing for "an arbitrary amount of opportunities" ,
Well, I am.
Installation of rpms is performed by root, i.e. package installation is
maximum insecure, i.e. allowing any repository an expression of maximum
trust to a repository provider by each user.
=> Any arbitrary repository provider is granted 100% control over a
system == "an arbitrary amount of opportunities".
It's the reason why we tell users to only install from trusted sources
(== repositories) and not to pick up random packages from the net. It's
one of the key points which had assured safety of Linux over the years
and which makes *the* key difference to other OSes (esp. Win and Android).
It's this rationale, why I consider adding the idea to add 3rd parties
to Fedora or RPMFusion to be a truely stupid idea.
> This is a valid concern, although I don't think it should be enough to
> block any packaging attempt.
> We could change things so that the files are shipped in /usr/whatever
> and only "activated" i. e., copied to /etc/yum.repos.d after some
> kind of dialog where user accepts this (perhaps with a warning text
> like above). Would this improve the situation?
Sightly - It would at least shift responsibility to the user.
However it depends much on packaging details.
E.g. how do you want to copy with rpm file ownership on files below
/etc/yum.repos.d/*.repo and conflicts between such files being shipped
by upstream-rpms (rpmfusion, adobe do so), non-rpm-upstreams (e.g.
google-chrome does so) and manually written ones.
>> I'm in agreement with Ralf too.
>> imho, one of the biggest "selling point" for repositories like RPM
>> Fusion is the insurance the Fedora packaging guidelines are enforced and
>> thus the packages will integrate properly with the remaining of the
Exactly. It is the selling point and the point behind telling people not
to use repositories which do not care about it (e.g. rpmforge or atrpms).
> From a poilicy point of view current Fedora guidelines on this (which
> we should comply to ?!) is really more or less a full page about
> conditions when packaging of external repositories is acceptable or
Which page are you referring to? One of these recently written pages to
"embrace 3rd parties"?
My personal position is clear: A stupid idea, whose only purpose is
With my FPC head on: We do not allow 3rd party repos in Fedora, because
Fedora can't cope with them on the legal and on the technical sides.
In this light, as I understand, RPMFusion is trying to fill this gap.
> Practically, I feel that some of these arguments seems based on that
> all external repos are equal. However, they differ a lot. Leaving the
> list of "endorsed" repos aside (that list might very well be a Bad
> Idea anyway), how does these arguments apply the dropbpox repo (which
> only carries the leaf application dropbox). E. g., what's the risk
> that this application would destabilize the overall system?
As I said before, any arbitrary package has all opportunities to comit
any possible kind of damage to your system - The set of possible
imaginable scenarios is infinite.
More information about the rpmfusion-developers