-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Thu, Oct 13, 2016 at 11:30:39AM -0700, Andrew David Wong wrote: > On 2016-10-13 10:19, Marek Marczykowski-Górecki wrote: > > On Thu, Oct 13, 2016 at 02:21:24PM +0000, Manuel Amador (Rudd-O) wrote: > >> On 10/12/2016 10:16 PM, Marek Marczykowski-Górecki wrote: > >>> Hi, > >>> > >>> [...packagin 3rd party software...] > >>> Any thoughts? > > > >> I think it depends on whether the 3rd party software is meant to be > >> upstreamed into Qubes OS. > > > >> For example, in the case of my tools, I would like them to be > >> upstreamed, therefore the ideal thing to do would be to incorporate them > >> into the QubesOS Github org, and then add them as extra sources in the > >> builder. That requires, of course, that Qubes OS the project provide a > >> proper process for vetting for upstreaming, and upstreaming vetted > >> software. Ultimately the Qubes OS devs end up controlling that > >> software, and the future contribution process is simply based on pull > >> requests. > > > > This is generally a good idea, but I'm afraid some social effect: this > > may look like taking the software away from the original author, taking > > the credit for it. But on the other hand, the repository still will have > > commit history, and "forked from ..." reference. > > > > Andrew, any though on this aspect? > > > > We certainly should aim for a solution that allows authors to retain > ownership of and control over their own software, as well as > receive credit and recognition for it, if only because this is likely > to promote more contributions from individuals who care (quite > reasonably, IMHO) about those things. > > In options 1-4, the software ends up in a Qubes-owned repo no matter > what, right? It's just a matter of whether it's the official QubesOS > repo or a new repo we create specifically for that purpose.
Not necessary - option 3 is about keeping only build scripts (.spec, etc) in our repository, but pull the actual source from upstream. I'm somehow reluctant for creating a single multi-package repository, mostly because qubes-builder (currently) does not support building a single package from such repo. So updating a single package means rebuilding all of them. But should be easy to fix - for example keep packages in separate directories (which is good idea anyway) and only point qubes-builder at those subdirectories. > If we want to allow authors to retain control (on GitHub) of their > own software (and not any other contributor's software), then it seems > like the only option is to allow each author to host their own > software under their own account (or an account they control). > > What if we just fork those repos (either into the official QubesOS > account or into a separate one created for this purpose), then > update the forks based on changes to the author-owned original > repos (only accepting author-signed commits and/or tags, of course, > and perhaps after a review process)? Isn't that essentially what > we're already doing with i3[1], awesome[2], and yubikey[3]? > (Awesome yubikey are forked from repos owned by woju > and you, so maybe those don't really count.) Yes, this is the other option. The question here is: where should those forks be (current github org or a new one) and how should be named (original name, or some forced naming scheme like qubes-app-*)? > [1] https://github.com/QubesOS/qubes-desktop-linux-i3 > ]2] https://github.com/QubesOS/qubes-desktop-linux-awesome > [3] https://github.com/QubesOS/qubes-app-yubikey > - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJX/+0WAAoJENuP0xzK19csiOMH/RgGHaqCMFgbkkIARDDIzln8 f/+CmDswfN9lDSpHxLCOALPY7YWrmJqyMb60Vf/h9cYk1ctD1ecCC6Qmmf8kFSiG QLXkmS6XeRPz4J2OhfQOHmsKYfqMbklnYnpuhGgbdaCibf5PUl/sY9dlP96dStep H0TfppWwmoD3lCObup5LnBuySJk27YXhwLM23eMh7wI/np6qGNTbQSPgdLEi/lWK lEWss5Tdj/231jtbgYFfgu3JDo5XOP9kMlZSO3anCQ47i0EmA69ngnciaeYxFSEQ 1HG0qUyXzxmT6bMBPxcQxb91Qj8SxR4IinwdysSC0CUGM7Z1dv+exdZiD9J9llI= =nGEI -----END PGP SIGNATURE----- -- You received this message because you are subscribed to the Google Groups "qubes-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/20161013202248.GV15776%40mail-itl. For more options, visit https://groups.google.com/d/optout.
