n 2/3/14, Xavier Bachelot <xav...@bachelot.org> wrote: > On 02/03/2014 10:52 AM, Hans de Goede wrote: >> Hi, >> >> On 02/03/2014 02:14 AM, Ralf Corsepius wrote: >>> [2nd attempt to answer to this. My initial response from quite a while >>> age seems to have gone lost.] >>> >>> On 01/29/2014 12:12 PM, Alec Leamas wrote: >>>> Formally, this is about review request 3152 for dropbox-repo [1]. From >>>> a more practical POV, it's about users being able to install software >>>> like dropbox more or less "out of the box", an area where I think we >>>> really need to improve (as can be seen in all those "Fedora XX post >>>> installation guide" out there). >>>>[cut] >>>> >>>> To handle this, my simple proposal is that we handles packaged yum >>>> repositories like this: >>>> - It's ok to package yum repositories listed in [4]. >>>> - If anyone wants to change the list in [4] this should be announced >>>> here on rpmfusion-devel, and not done until we agree on it (similar to >>>> how we handle bundling exceptions). >>>> >>>> Thoughts. out there? >>> >>> All in all, I am not OK with rpmfusion shipping other party's repos, >>> because such repos are out of Fedora's/Rpmfusion's control/influence. >>> >>> They open up an arbitrary amount of opportunities for these 3rd >>> parties to break, corrupt and damage Fedora installations (Package >>> conflicts, low quality packages, malware, spyware, >>> intruded/dead/broken 3rd party servers, etc), without Fedora/RPMfusion >>> being able to do anything against it.
Noone is arguing for "an arbitrary amount of opportunities" , at least not I. My overall idea is still that the overall rule should be that external repo packaging is forbidden. But, like for bundling, there should be exceptions. >>> In other words, I'd recommend not doing so, because you guys are >>> likely to be facing very tough times in cases something goes wrong >>> with these "endorsed 3rd party repos". >> >> +1 >> >> Regards, >> >> Hans This is a valid concern, although I don't think it should be enough to block any packaging attempt. We could change things so that the files are shipped in /usr/whatever and only "activated" i. e., copied to /etc/yum.repos.d after some kind of dialog where user accepts this (perhaps with a warning text like above). Would this improve the situation? > I'm in agreement with Ralf too. > imho, one of the biggest "selling point" for repositories like RPM > Fusion is the insurance the Fedora packaging guidelines are enforced and > thus the packages will integrate properly with the remaining of the > ecosystem. [cut] >From a poilicy point of view current Fedora guidelines on this (which we should comply to ?!) is really more or less a full page about conditions when packaging of external repositories is acceptable or not. If rpmfusion should conclude not to package *any* repository, this would be a (much?) more restrictive rule than current Fedora guidelines. Is this reasonable? As for legal spot has concluded that packaging a repository carries a substantially smaller risk than repacking other parties sw (which is what lpf is all about). Link in first post, discussions. Practically, I feel that some of these arguments seems based on that all external repos are equal. However, they differ a lot. Leaving the list of "endorsed" repos aside (that list might very well be a Bad Idea anyway), how does these arguments apply the dropbpox repo (which only carries the leaf application dropbox). E. g., what's the risk that this application would destabilize the overall system?
