Mailinglist Archive: opensuse-buildservice (312 mails)

< Previous Next >
Re: [opensuse-buildservice] Integrating packages into Factory
  • From: Adrian Schröter <adrian@xxxxxxx>
  • Date: Tue, 29 Jul 2008 18:50:23 +0200
  • Message-id: <200807291850.24511.adrian@xxxxxxx>
On Tuesday 29 July 2008 18:12:59 Archie Cobbs wrote:
On Tue, Jul 29, 2008 at 10:09 AM, Adrian Schröter <adrian@xxxxxxx> wrote:
However, what is needed is IMHO a discussion and policy what the openSUSE
distribution should be.

a) A relative small distribution with best possible quality, trust and

b) A as large as possible distro with the price of lower
quality/trustable and more often changing content.

c) something in the middle ;)

Whatever you select, you will have a price to pay. But this is IMHO
something what should be discussed on -factory or -project. Or even
better, someone can come up with a proposal how a package can qualify for
the distribution in future.

Some thoughts on this discussion from one end-user's perspective...

Long ago I used FreeBSD heavily and one thing I very much appreciated
was having "one stop shopping" for 3rd party software, i.e., there was
a single project-monitored and blessed place to go to find 3rd party
software (the FreeBSD ports/packages system).

On the other hand, Linux always seemed to have more software available
than FreeBSD.... BUT it was a lot harder to find/access, came from
"random" places (e.g., searching, and often didn't work
because it wasn't well integrated, or you had to build it yourself (so
no RPM database tracking), etc.

The OBS is a great unifying technology that solves part of that second
Linux-specific problem set: (a) I can find almost all software for
SUSE in one place, (b) software on
OBS is built under clean-room conditions for each distribution (c) all
software is RPM packages with consistent inter-package dependencies.

However, there still remains one problem with OBS: there are so many
separate repositories. I don't have a problem with home:foobar
projects, it's clear what they are about, and they should remain
separate. However, why do I have to end up adding twenty different
repositories to zypper (which dramatically slows it down by the way)

this should be really fixed with 11.0

just because what I want to do doesn't fit neatly into a single

So here's my suggestion. First, keep the three "levels of trust" we
have now: 1 = factory, 2 = established category projects like
network:telephony, Apache, etc., 3 = home:user projects.

Next, with each release of SUSE, create the normal SUSE distribution
using level 1 stuff, but also create a new "3rd party distribution"
containing the union of all level 2 projects, taken as a snapshot at
release time. The "3rd party distribution" could be shipped as a
separate set of ISO images and would also be hosted in a *single*
online repository (called e.g., "openSUSE 10.3 3rdParty").

This would have basically two effects:

1) The repository would cause plenty of conflicts, because we allow by
intention that packagers replace/update packages. It would cause a real
dependency hell when installing any package in YaST.

2) everybody would be able to inject evil code to everybodys system.
(you do not even need to install a specific package, you would always
get the package with %post script sending your credit card credentials
to someone else). So no one should ever add this repo ever, simply because
it is a soo easy target that for sure plenty people will do it.

Seriously, I saw often enough code in configure scripts talk with online
server and sending private data that I will never install software which is
not trustable to some degree (or I have reviewed myself).



Adrian Schroeter
SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nürnberg)
email: adrian@xxxxxxx

To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-buildservice+help@xxxxxxxxxxxx

< Previous Next >
List Navigation
Follow Ups