[opensuse-project] Contrib project
Hi, I think I'm not the only one who is confused about today's status of Contrib. This project probably needs some respecification because policies around the openSUSE project changed since Contrib was started. The Factory distribution is pretty open nowadays and I hear a lot of people saying that Contrib is not needed anymore and everything useful should enter Factory but I'm not sure if that makes sense or can work out at all. There are different types of packages in Contrib currently, including - packages dropped from Factory because security maintenance is very hard (e.g. some php apps) - packages dropped from Factory because they are outdated immediately and nobody likes to use them for two years from $DIST - packages dropped from Factory just because they haven't been touched upstream for years (but are still doing their job well) (e.g. abook) I would like to hear from Factory maintainers what their thoughts are about the above types of packages. Probably nothing changed here and therefore the statement "everything should enter Factory" is not realistic? Given that (please correct me if I'm wrong) I still see a need for something like Contrib. I would change its policy though and wouldn't freeze versions hard for released distributions. More like the backport repositories or packman would probably make sense. If you now say that is what backport repos are for, I would answer that having 20 backport repos is a nightmare and also it should be possible to stay on a version if there is no real need to update to a newer one. Contrib maintainers should be rather free to decide if a version update is done or not. What do others think? Wolfgang -- To unsubscribe, e-mail: opensuse-project+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-project+help@opensuse.org
* Wolfgang Rosenauer <wolfgang@rosenauer.org> [2011-03-01 20:01]:
I think I'm not the only one who is confused about today's status of Contrib. This project probably needs some respecification because policies around the openSUSE project changed since Contrib was started.
The Factory distribution is pretty open nowadays and I hear a lot of people saying that Contrib is not needed anymore and everything useful should enter Factory but I'm not sure if that makes sense or can work out at all.
IMHO Contrib is obsolete and should just go away. As you noted it does not have a clearly defined purpose and there are a number of other reasons why I think it is a bad idea.
There are different types of packages in Contrib currently, including - packages dropped from Factory because security maintenance is very hard (e.g. some php apps)
If packages constitute a security risk or are hardly maintainable they should be clearly identified as such so people are aware of what they are getting into, e.g. by putting these packages in a separate repo. Everything else is just a disservice to our users.
- packages dropped from Factory because they are outdated immediately and nobody likes to use them for two years from $DIST
I'd say such packages fit the way Packman operates and so be maintained there, in fact as somebody noticed on the Packman list there is already duplication between some Contrib and Packman packages.
- packages dropped from Factory just because they haven't been touched upstream for years (but are still doing their job well) (e.g. abook)
If they work and have a package maintainer looking after it I see no reason why they should not be in Factory. Apart from the three categories you mentioned there is a fourth category, namely many packages of both obscure and fairly mainstream software which seems to be in Contrib for no good reason at all. And what is really bad about this is that some of these packages are of awful quality and badly maintained, something that could have been prevented by proper review and the high quality standards applied to Factory. This alone is for me the decisive argument why Contrib should just die.
I would like to hear from Factory maintainers what their thoughts are about the above types of packages. Probably nothing changed here and therefore the statement "everything should enter Factory" is not realistic?
I believe it is realistic, the few packages that fit your first and third category could easily be moved to a separate repo or Packman respectively while the rest should just be migrated to Factory. It would raise the quality of the distribution and be a benefit to users. -- Guido Berhoerster -- To unsubscribe, e-mail: opensuse-project+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-project+help@opensuse.org
Am 01.03.2011 20:59, schrieb Guido Berhoerster:
* Wolfgang Rosenauer <wolfgang@rosenauer.org> [2011-03-01 20:01]:
There are different types of packages in Contrib currently, including - packages dropped from Factory because security maintenance is very hard (e.g. some php apps)
If packages constitute a security risk or are hardly maintainable they should be clearly identified as such so people are aware of what they are getting into, e.g. by putting these packages in a separate repo. Everything else is just a disservice to our users.
Agreed. But openSUSE as a distribution has no answer to that (yet). Every package in oss is treated the same way (basically).
- packages dropped from Factory because they are outdated immediately and nobody likes to use them for two years from $DIST
I'd say such packages fit the way Packman operates and so be maintained there, in fact as somebody noticed on the Packman list there is already duplication between some Contrib and Packman packages.
Please don't get me wrong as I like the packman service but there are a few reasons why I don't think packman is the way to go (at least IMHO). First it's a separate developer group. I have no access to it just with my opensuse identity. I don't like to have a separate infrastructure for that type of packages. This just sounds wrong to me. Another one is that I'm unsure about the quality of the packages there (please note that I have the same concerns for Contrib currently). There is no bugtracker, there is no way to easily contribute (I think).
- packages dropped from Factory just because they haven't been touched upstream for years (but are still doing their job well) (e.g. abook)
If they work and have a package maintainer looking after it I see no reason why they should not be in Factory.
Same here, but there are packages which were dropped just for that reason. Therefore I asked the Factory people if we should just bring them back into Factory?
Apart from the three categories you mentioned there is a fourth category, namely many packages of both obscure and fairly mainstream software which seems to be in Contrib for no good reason at all. And what is really bad about this is that some of these packages are of awful quality and badly maintained, something that could have been prevented by proper review and the high quality standards applied to Factory. This alone is for me the decisive argument why Contrib should just die.
My categories were not exclusive and anyway I fully agree with you. From quickly checking some Contrib stuff there are some really bad examples. Seems quite some stuff slipped through the review process too easily.
I would like to hear from Factory maintainers what their thoughts are about the above types of packages. Probably nothing changed here and therefore the statement "everything should enter Factory" is not realistic?
I believe it is realistic, the few packages that fit your first and third category could easily be moved to a separate repo or Packman respectively while the rest should just be migrated to Factory. It would raise the quality of the distribution and be a benefit to users.
Again agreed. We should really work on bringing the useful stuff into Factory but I see leftovers where it might make sense to still have them available. I'm wondering where "be moved to a separate repo" is different from redefining what Contrib is? Wolfgang -- To unsubscribe, e-mail: opensuse-project+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-project+help@opensuse.org
* Wolfgang Rosenauer <wolfgang@rosenauer.org> [2011-03-01 21:21]:
Am 01.03.2011 20:59, schrieb Guido Berhoerster:
* Wolfgang Rosenauer <wolfgang@rosenauer.org> [2011-03-01 20:01]:
There are different types of packages in Contrib currently, including - packages dropped from Factory because security maintenance is very hard (e.g. some php apps)
If packages constitute a security risk or are hardly maintainable they should be clearly identified as such so people are aware of what they are getting into, e.g. by putting these packages in a separate repo. Everything else is just a disservice to our users.
Agreed. But openSUSE as a distribution has no answer to that (yet). Every package in oss is treated the same way (basically).
- packages dropped from Factory because they are outdated immediately and nobody likes to use them for two years from $DIST
I'd say such packages fit the way Packman operates and so be maintained there, in fact as somebody noticed on the Packman list there is already duplication between some Contrib and Packman packages.
Please don't get me wrong as I like the packman service but there are a few reasons why I don't think packman is the way to go (at least IMHO). First it's a separate developer group. I have no access to it just with my opensuse identity. I don't like to have a separate infrastructure for that type of packages. This just sounds wrong to me. Another one is that I'm unsure about the quality of the packages there (please note that I have the same concerns for Contrib currently). There is no bugtracker, there is no way to easily contribute (I think).
- packages dropped from Factory just because they haven't been touched upstream for years (but are still doing their job well) (e.g. abook)
If they work and have a package maintainer looking after it I see no reason why they should not be in Factory.
Same here, but there are packages which were dropped just for that reason. Therefore I asked the Factory people if we should just bring them back into Factory?
Apart from the three categories you mentioned there is a fourth category, namely many packages of both obscure and fairly mainstream software which seems to be in Contrib for no good reason at all. And what is really bad about this is that some of these packages are of awful quality and badly maintained, something that could have been prevented by proper review and the high quality standards applied to Factory. This alone is for me the decisive argument why Contrib should just die.
My categories were not exclusive and anyway I fully agree with you. From quickly checking some Contrib stuff there are some really bad examples. Seems quite some stuff slipped through the review process too easily.
I would like to hear from Factory maintainers what their thoughts are about the above types of packages. Probably nothing changed here and therefore the statement "everything should enter Factory" is not realistic?
I believe it is realistic, the few packages that fit your first and third category could easily be moved to a separate repo or Packman respectively while the rest should just be migrated to Factory. It would raise the quality of the distribution and be a benefit to users.
Again agreed. We should really work on bringing the useful stuff into Factory but I see leftovers where it might make sense to still have them available. I'm wondering where "be moved to a separate repo" is different from redefining what Contrib is?
So we have two categories of packages left which cannot be in Factory, firstly software which is inherently insecure and cannot be maintained in Factory and secondly software which is volatile in nature. Do you have some examples or even numbers for these categories? Even rather nightmarish stuff like phpMyAdmin seems to be in Factory now and for the second category only chromium comes to mind which even Debian has allowed to be included in their latest stable release. While I can agree with almost all of the above I still think Contrib should be obsoleted and replaced by separate repositories for a number of reasons: * both categories are very different and rather insecure packages should be clearly identifiable * the "Contrib" is for such a redefined purpose very misleading * such an obsoletion makes sure the large number of packages which are in there for no reason will be moved to a proper development repo and from there into Factory Given that there is even a large enough number of packages for both categories how about creating something like openSUSE:*:Volatile and openSUSE:*:Insecure instead of Contrib? -- Guido Berhoerster -- To unsubscribe, e-mail: opensuse-project+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-project+help@opensuse.org
Le 02/03/2011 10:43, Guido Berhoerster a écrit :
* Wolfgang Rosenauer <wolfgang@rosenauer.org> [2011-03-01 21:21]:
Am 01.03.2011 20:59, schrieb Guido Berhoerster:
* Wolfgang Rosenauer <wolfgang@rosenauer.org> [2011-03-01 20:01]:
There are different types of packages in Contrib currently, including - packages dropped from Factory because security maintenance is very
shoudn't this be discussed on factory? I don't understand anything to this package problem and beg most non developpers project member are like me :-) jdd -- http://www.dodin.net http://www.dailymotion.com/video/xgxog7_clip-l-ombre-et-la-lumiere-3-bad-pig... http://www.youtube.com/watch?v=FGgv_ZFtV14 -- To unsubscribe, e-mail: opensuse-project+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-project+help@opensuse.org
* jdd <jdd@dodin.org> [2011-03-02 10:52]:
Le 02/03/2011 10:43, Guido Berhoerster a écrit :
* Wolfgang Rosenauer <wolfgang@rosenauer.org> [2011-03-01 21:21]:
Am 01.03.2011 20:59, schrieb Guido Berhoerster:
* Wolfgang Rosenauer <wolfgang@rosenauer.org> [2011-03-01 20:01]:
There are different types of packages in Contrib currently, including - packages dropped from Factory because security maintenance is very
shoudn't this be discussed on factory? I don't understand anything to this package problem and beg most non developpers project member are like me :-)
No, this only peripherally touches Factory and is about policy. -- Guido Berhoerster -- To unsubscribe, e-mail: opensuse-project+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-project+help@opensuse.org
Guido Berhoerster wrote:
So we have two categories of packages left which cannot be in Factory, firstly software which is inherently insecure and cannot be maintained in Factory and secondly software which is volatile in nature. Do you have some examples or even numbers for these categories? [...] Given that there is even a large enough number of packages for both categories how about creating something like openSUSE:*:Volatile and openSUSE:*:Insecure instead of Contrib?
The only argument pro separate repos is that it prevents accidental build dependencies on such packages. From a user's point of view there is not much difference. As soon as the "crap" repo is enabled you need to look very closely to find out where a package comes from. Some kind of tag that makes e.g. zypper display "this package has a bad security reputation, use XXX instead" would be more useful. cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg) -- To unsubscribe, e-mail: opensuse-project+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-project+help@opensuse.org
* Ludwig Nussel <ludwig.nussel@suse.de> [2011-03-02 11:01]:
Guido Berhoerster wrote:
So we have two categories of packages left which cannot be in Factory, firstly software which is inherently insecure and cannot be maintained in Factory and secondly software which is volatile in nature. Do you have some examples or even numbers for these categories? [...] Given that there is even a large enough number of packages for both categories how about creating something like openSUSE:*:Volatile and openSUSE:*:Insecure instead of Contrib?
The only argument pro separate repos is that it prevents accidental build dependencies on such packages. From a user's point of view there is not much difference. As soon as the "crap" repo is enabled you need to look very closely to find out where a package comes from. Some kind of tag that makes e.g. zypper display "this package has a bad security reputation, use XXX instead" would be more useful.
Agreed, my point was exactly that one would need to explicitly enable such a repo with an obvious name which then really only contains "crap" packages and nothing else. -- Guido Berhoerster -- To unsubscribe, e-mail: opensuse-project+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-project+help@opensuse.org
Agreed, my point was exactly that one would need to explicitly enable such a repo with an obvious name which then really only contains "crap" packages and nothing else.
i think that you are pretty liberal with the use of the word crap, with and without quotes. The packages in contrib are not necessary a security threat... they simple did not get audited in the same way in which the packages that made it into the distro. Alin -- I force myself to contradict myself in order to avoid conforming to my own taste. -- Marcel Duchamp Without Questions there are no Answers! _____________________________________________________________________ Alin Marin ELENA Advanced Molecular Simulation Research Laboratory School of Physics, University College Dublin ---- Ardionsamblú Móilíneach Saotharlann Taighde Scoil na Fisice, An Coláiste Ollscoile, Baile Átha Cliath ----------------------------------------------------------------------------------- http://alin.elenaworld.net ______________________________________________________________________ -- To unsubscribe, e-mail: opensuse-project+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-project+help@opensuse.org
* Alin Marin Elena <alinm.elena@gmail.com> [2011-03-02 11:52]:
Agreed, my point was exactly that one would need to explicitly enable such a repo with an obvious name which then really only contains "crap" packages and nothing else.
i think that you are pretty liberal with the use of the word crap, with and without quotes. The packages in contrib are not necessary a security threat...
No, and nobody in this thread said that.
they simple did not get audited in the same way in which the packages that made it into the distro.
Right, and I see no reason why these should not be moved to Factory. -- Guido Berhoerster -- To unsubscribe, e-mail: opensuse-project+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-project+help@opensuse.org
On Wed, Mar 02, 2011 at 10:43:51AM +0100, Guido Berhoerster wrote: ...
So we have two categories of packages left which cannot be in Factory, firstly software which is inherently insecure and cannot be maintained in Factory and secondly software which is volatile in nature. Do you have some examples or even numbers for these categories? Even rather nightmarish stuff like phpMyAdmin seems to be in Factory now and for the second category only
As community members submitted it, I take it they commit to maintain it for the lifetime of the openSUSE release its in. For phpMyAdmin I just sent them a email making it very clear, that for it Security _requests_ active maintenance. For other not-so-critical packages we can be a bit more relaxed, but not for phpMyAdmin, which was in the top-10 of security issues the last releases we had it. (Chromium might be also a candidate, if we have commitment that updates get pushed as fast as we get them with Firefox.) Ciao, Marcus -- To unsubscribe, e-mail: opensuse-project+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-project+help@opensuse.org
* Marcus Meissner <meissner@suse.de> [2011-03-02 11:19]:
On Wed, Mar 02, 2011 at 10:43:51AM +0100, Guido Berhoerster wrote: ...
So we have two categories of packages left which cannot be in Factory, firstly software which is inherently insecure and cannot be maintained in Factory and secondly software which is volatile in nature. Do you have some examples or even numbers for these categories? Even rather nightmarish stuff like phpMyAdmin seems to be in Factory now and for the second category only
As community members submitted it, I take it they commit to maintain it for the lifetime of the openSUSE release its in.
For phpMyAdmin I just sent them a email making it very clear, that for it Security _requests_ active maintenance.
For other not-so-critical packages we can be a bit more relaxed, but not for phpMyAdmin, which was in the top-10 of security issues the last releases we had it.
(Chromium might be also a candidate, if we have commitment that updates get pushed as fast as we get them with Firefox.)
That is a good argument that we actually don't need such a repo at all. (phpMyAdmin was just an example based on what I frequently see in Apache logs and never part of Contrib.) -- Guido Berhoerster -- To unsubscribe, e-mail: opensuse-project+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-project+help@opensuse.org
Hi, As one of the people who does maintain Contrib, I'll add my comments inline, On 3/1/11 2:01 PM, Wolfgang Rosenauer wrote:
Hi,
I think I'm not the only one who is confused about today's status of Contrib. This project probably needs some respecification because policies around the openSUSE project changed since Contrib was started.
Agreed.
The Factory distribution is pretty open nowadays and I hear a lot of people saying that Contrib is not needed anymore and everything useful should enter Factory but I'm not sure if that makes sense or can work out at all. There are different types of packages in Contrib currently, including - packages dropped from Factory because security maintenance is very hard (e.g. some php apps)
These should be moved to the server:php repos IMO.
- packages dropped from Factory because they are outdated immediately and nobody likes to use them for two years from $DIST - packages dropped from Factory just because they haven't been touched upstream for years (but are still doing their job well) (e.g. abook)
I would like to hear from Factory maintainers what their thoughts are about the above types of packages. Probably nothing changed here and therefore the statement "everything should enter Factory" is not realistic?
Yes. Some of the packagers do not want to maintain them in Factory for whatever reasons: not wanting a version freeze imposed etc.
Given that (please correct me if I'm wrong) I still see a need for something like Contrib. I would change its policy though and wouldn't freeze versions hard for released distributions. More like the backport repositories or packman would probably make sense. If you now say that is what backport repos are for, I would answer that having 20 backport repos is a nightmare and also it should be possible to stay on a version if there is no real need to update to a newer one. Contrib maintainers should be rather free to decide if a version update is done or not.
What do others think?
Wolfgang
Well, I think we could the following: Make the repo an area where version freezes are not imposed, at least for leaf packages. As for the new packages, I have concentrated on getting the submitters to get the package quality comparable to Factory. No doubt it needs to evolve, but there is definitely a use for this kind of repo. My 0.02 Cheers, Peter -- To unsubscribe, e-mail: opensuse-project+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-project+help@opensuse.org
Peter Linnell wrote:
Well, I think we could the following: Make the repo an area where version freezes are not imposed, at least for leaf packages.
What makes you think that's not the case already? cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg) -- To unsubscribe, e-mail: opensuse-project+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-project+help@opensuse.org
participants (7)
-
Alin Marin Elena -
Guido Berhoerster -
jdd -
Ludwig Nussel -
Marcus Meissner -
Peter Linnell -
Wolfgang Rosenauer