Packaging 3-rd party repositories in rpmfusion

Alec Leamas leamas.alec at gmail.com
Wed Feb 5 21:24:16 CET 2014


On 2/5/14, Ralf Corsepius <ralf.corsepius at gmail.com> wrote:
> On 02/03/2014 01:07 PM, Alec Leamas wrote:
>> n 2/3/14, Xavier Bachelot <xavier at bachelot.org> wrote:
>>> On 02/03/2014 10:52 AM, Hans de Goede wrote:
>>>> Hi,
>>>>
>>>> On 02/03/2014 02:14 AM, Ralf Corsepius wrote:
>>>>> [2nd attempt to answer to this. My initial response from quite a while
>>>>> age seems to have gone lost.]
>>>>>
>>>>> On 01/29/2014 12:12 PM, Alec Leamas wrote:
>>>>>> Formally, this is about review request 3152 for dropbox-repo [1].
>>>>>> From
>>>>>> a more practical POV, it's about users being able to install software
>>>>>> like dropbox more or less "out of the box", an area where I think we
>>>>>> really need to improve (as can be seen in all those "Fedora XX post
>>>>>> installation guide" out there).
>>>>>> [cut]
>>>>>>
>>>>>> To handle this, my simple proposal is that we handles packaged yum
>>>>>> repositories like this:
>>>>>> - It's ok to package yum repositories listed in [4].
>>>>>> - If anyone wants to change the list in [4] this should be announced
>>>>>> here on rpmfusion-devel, and not done until we agree on it (similar
>>>>>> to
>>>>>> how we handle bundling exceptions).
>>>>>>
>>>>>> Thoughts. out there?
>>>>>
>>>>> All in all, I am not OK with rpmfusion shipping other party's repos,
>>>>> because such repos are out of Fedora's/Rpmfusion's control/influence.
>>>>>
>>>>> They open up an arbitrary amount of opportunities for these 3rd
>>>>> parties to break, corrupt and damage Fedora installations (Package
>>>>> conflicts, low quality packages, malware, spyware,
>>>>> intruded/dead/broken 3rd party servers, etc), without Fedora/RPMfusion
>>>>> being able to do anything against it.
>>
>> Noone is arguing for "an arbitrary amount of opportunities" ,
>
> Well, I am.
>
> Installation of rpms is performed by root, i.e. package installation is
> maximum insecure, i.e. allowing any repository an expression of maximum
> trust to a repository provider by each user.
>
> => Any arbitrary repository provider is granted 100% control over a
> system == "an arbitrary amount of opportunities".
>
> It's the reason why we tell users to only install from trusted sources
> (== repositories) and not to pick up random packages from the net. It's
> one of the key points which had assured safety of Linux over the years
> and which makes *the* key difference to other OSes (esp. Win and Android).
Agreed. But we are not talking about random packages from the net. We
are talking about making it easy to install specific  apps from some
selected repos.

> It's this rationale, why I consider adding the idea to add 3rd parties
> to Fedora or RPMFusion to be a truely stupid idea.
Could you not at least agree on that we actually have a trade-off
here? Many (most? almost all?) fedora/rpmfusion users want to use some
apps available from 3-rd party repos for various reasons. Not
supporting this at all forces them to apply random guides out there,
with all sorts of risks and problems. Supporting it also carries
risks, agreed. But I just don't think it's fair to call any position
about this "stupid".

>> This is a valid concern, although I don't think it should be enough to
>> block any packaging attempt.
>>
>> We could change things so that the files are shipped in /usr/whatever
>> and only "activated" i. e., copied to /etc/yum.repos.d  after some
>> kind of dialog where user accepts this (perhaps with a warning text
>> like above). Would this improve the situation?
> Sightly - It would at least shift responsibility to the user.
As of today, user will face the dialog in [1]. This would IMHO make
user responsible.

> However it depends much on packaging details.
> E.g. how do you want to copy with rpm file ownership on files below
> /etc/yum.repos.d/*.repo and conflicts between such files being shipped
> by upstream-rpms (rpmfusion, adobe do so), non-rpm-upstreams (e.g.
> google-chrome does so) and manually written ones.

As for dropbox-repo,  the repo file is in a sub-package. The main
package requires the repo file directly. The result is that it will
use an already existing  repo file without conflicts, more or less
just adding some metadata to it.

>>  From a poilicy point of view current Fedora guidelines on this (which
>> we should comply to ?!) is really more or less a full page about
>> conditions when packaging of external repositories is acceptable or
>> not.
> Which page are you referring to? One of these recently written pages to
> "embrace 3rd parties"?
>
> My personal position is clear: A stupid idea, whose only purpose is
> populism.
If populism is about making Fedora/rpmfusion a popular distribution,
then call me a populist. I can live with that.

> With my FPC head on: We do not allow 3rd party repos in Fedora, because
> Fedora can't cope with them on the legal and on the technical sides.
Reading current GL I cannot interpret them as a plain "We do not allow
3rd party repos in Fedora". If the rule was that simple, why a full
page of text with different cases?



More information about the rpmfusion-developers mailing list