(→Open Questions: Added details on discussion about the open question: Do we trust the person whose repo/package was accepted into the Playground repository to keep it up-to-date and address serious bugs/security issues?) |
(→Open Questions: Added question and discussion about "Do we expect people to package stable/usable software in the Playground repository?") |
||
Line 82: | Line 82: | ||
* How do we deal with multiple versions of same package provided by different COPRs? | * How do we deal with multiple versions of same package provided by different COPRs? | ||
* Do we expect people to package stable/usable software in the Playground repository? | |||
** If we would want to enforce the content of the repository to be something stable, then we would be back to approving things individually. | |||
** Probably some packages will be more unstable than others and that's fine. | |||
** We could at least put up some guidance that would promote the idea that the Playground repository should contain stable/usable software (similar to the [[Rawhide#Goals|first goal of the Rawhide repository]]) and that bleeding edge/"eats your babies" software should be rather put into a COPR (with a warning description next to it). | |||
== Problems == | == Problems == |
Revision as of 11:56, 5 March 2014
The Playground repository gives contributors a place to host packages that are not up to the standards of the main Fedora repository but may still be useful to other users. For now the Playground repository contains both packages that are destined for eventual inclusion into the main Fedora repositories and packages that are never going to make it there. Users of the repository should be willing to endure a certain amount of instability when using packages from here.
All packages in Playground must play nice - no bad licenses, no proprietary software, no patented software.
Description
Policies
- Packages must follow the Legal Guidelines. In particular, the license for all packages must be approved in the Legal Guidelines.
- Packages may violate other Fedora Packaging Guidelines.
How the repository works
Packages for the repository are built in COPR. The COPR owner can mark the repository as a whole as being part of the Playground repository. Packages successfully built for marked COPRs are copied into the Playground Repository. [marcela] Who is COPR owner? The project owner on COPR? We need additional feature in COPR for "mark as worth of Playground".
- How do the updates work?
- The Playground repository follows the rolling release model. One yum/dnf repository is provided for each Fedora release-arch combination. The repository's repodata is continuously regenerated. All the builds in the COPR repositories that are selected to feed the Playground repository are composed once a day and pushed to the Playground repository and its mirrors.
- This is similar to the Rawhide repository.
- Initially, the Bodhi update system will not be used.
- These decisions were made on the March 4, 2014 meeting.
- Does it have an additional testing repository?
- Initially, there won't be an additional testing repository. If packagers want to provide some testing packages, they can create an additional COPR that will contain these testing packages.
- This decision was made on the March 4, 2014 meeting.
Identified needs
Groups to Coordinate with | How necessary | Need |
Infra | Necessary | Disk space for the yum repositories (Open question -- is this mirrored?) |
Infra/Copr devs | Very nice to have | Copr deployment that's considered reliable enough to build packages for this repo |
Copr devs | Necessary | Ability to mark an individual COPR for inclusion in the Playground repository |
Copr devs | Optional but nice to have | Build from a git repository URL and revision hash |
Open Questions
We'll need to answer these questions and by their answers, flesh out the [#Description] and add additional work items to the [#Identified_needs] section.
- deltarpms?
- signing?
- it takes 4 months to implement in Copr
- does it need adding to mirrormanager?
- will fedup support upgrades with packages there?
- Does it need to be mashed in order to get multilib support?
- self hosting (all packages needed to build the packages are in the repo)?
- Is there any review of repos/packages in the repos?
- Does the review differ depending on who is building the package (cla+1 vs in the packager group)?
- Do we trust the person whose repo/package was accepted into the Playground repository to keep it up-to-date and address serious bugs/security issues?
- Just telling users that they should keep up with the security issues themselves is not a solution since that's well understood to be near impossible.
- The problem with reactive removal of such packages from the repository is that this doesn't remove packages from users' systems.
- Although the problem of package removal also exists in Fedora's main repos, it is mitigated somewhat since there we have a larger maintainer pool for addressing orphans, short lifecycle means that abandoned packages disappear in about a year, and packagers packaging things for the main repo have a higher bar to entry and are generally more serious and knowledgeable.
- One possible solution is to set up an empty package that obsoletes such a problematic package.
- Another solution is to have the
fedora-playground-release
package which has obsoletes like:Obsoletes: badapp-$version
. - If a person misuses the community's trust by intentionally packaging malware or not fixing serious security issues found in his packages, then we could blacklist his FAS account which would prevent inclusion of his packages in the Playground repository.
- Do we allow conflicts with packages in the main repo?
- Do we allow replacement of packages in the main repo?
- Do we allow "backdoor replacement" of packages in the main repo? ie: Let's say I have a package in the playground repo: NetworkManager2.1. And that conflicts with NetworkManager. Is that allowed? Is it allowed as long as it doesn't have any virtual provides/obsoletes that would automatically allow it to replace the package in the main repo?
- Do we allow conflicts between packages in the Playground Repo?
- Do we allow replacement of other packages in the Playground Repository? (How do we stop this in our implementation?)
- Do we allow "backdoor replacement" in the playground repo?
- How do we deal with multiple versions of same package provided by different COPRs?
- Do we expect people to package stable/usable software in the Playground repository?
- If we would want to enforce the content of the repository to be something stable, then we would be back to approving things individually.
- Probably some packages will be more unstable than others and that's fine.
- We could at least put up some guidance that would promote the idea that the Playground repository should contain stable/usable software (similar to the first goal of the Rawhide repository) and that bleeding edge/"eats your babies" software should be rather put into a COPR (with a warning description next to it).
Problems
1 Big repo vs multiple small ones
Ideally users would enable just one "playgrond" repo and would get all nice updates. However this has several issues:
- We'd need support in rel-eng for multiple versions of identical package (problems with composes)
- Users would get *all* playground packages not just ones they are interested in
- There is no way to specify which packages from playground to install (or they are inadequate)
Most likely better approach is repo-of-repos where:
- Each project has a COPR repo (already done since that's how they are built)
- Playground repo contains these repo files
- We can add GUI support for enabling on per-feature basis (i.e. install playground repo for "Dajngo 1.6" or "Chromium" or ...)
- Possible conflicts are between features. It's not ideal but that way there *can* be conflicts and they are not catastrophic. People who want to test django do not necessarily want to test Chromium (or other way around)