On 10/12/2016 10:16 PM, Marek Marczykowski-Górecki wrote:
> [...packagin 3rd party software...]
> Any thoughts?
I think it depends on whether the 3rd party software is meant to be
upstreamed into Qubes OS.
For example, in the case of my tools, I would like them to be
upstreamed, therefore the ideal thing to do would be to incorporate them
into the QubesOS Github org, and then add them as extra sources in the
builder. That requires, of course, that Qubes OS the project provide a
proper process for vetting for upstreaming, and upstreaming vetted
software. Ultimately the Qubes OS devs end up controlling that
software, and the future contribution process is simply based on pull
For software that isn't meant to be upstreamed, but should be
installable, it would be great if there was a separate qubes-contrib
repo where people with cool Qubes extensions can upload packages —
again, following a review process, ideally based on diffs of source
RPMs, which only accepts SRPMS that were signed by their original
submitters — prior to them getting signed by the folks in charge of the
qubes-contrib repo. This would provide a distribution channel for those
packages. This is tricky though, because we are betting on the people
in charge of the repo (and building / signing the packages) to catch
potential malicious software being submitted. Effectively we need a
queue submitter -> new, signed SRPM up for review -> reviewer looks at
diff between last published SRPM and this incoming SRPM -> reviewer
approves -> builder builds -> built SRPM and RPMs -> reviewer does Q/A
on built products -> reviewer signs -> reviewer pushes to
qubes-contrib. This of course needs to be 100% fully automated.
And, of course, both options are labor-intensive.
You received this message because you are subscribed to the Google Groups
To unsubscribe from this group and stop receiving emails from it, send an email
To post to this group, send email to email@example.com.
To view this discussion on the web visit
For more options, visit https://groups.google.com/d/optout.