Mailinglist Archive: opensuse-project (539 mails)

< Previous Next >
Re: [opensuse-project] Contrib project
  • From: Guido Berhoerster <gber@xxxxxxxxxxxx>
  • Date: Wed, 2 Mar 2011 10:43:51 +0100
  • Message-id: <20110302094351.GI4650@wopr.local.invalid>
* Wolfgang Rosenauer <wolfgang@xxxxxxxxxxxxx> [2011-03-01 21:21]:
Am 01.03.2011 20:59, schrieb Guido Berhoerster:
* Wolfgang Rosenauer <wolfgang@xxxxxxxxxxxxx> [2011-03-01 20:01]:
There are different types of packages in Contrib currently, including
- packages dropped from Factory because security maintenance is very
hard (e.g. some php apps)

If packages constitute a security risk or are hardly maintainable
they should be clearly identified as such so people are aware of
what they are getting into, e.g. by putting these packages in a
separate repo. Everything else is just a disservice to our

Agreed. But openSUSE as a distribution has no answer to that (yet).
Every package in oss is treated the same way (basically).

- packages dropped from Factory because they are outdated immediately
and nobody likes to use them for two years from $DIST

I'd say such packages fit the way Packman operates and so be
maintained there, in fact as somebody noticed on the Packman
list there is already duplication between some Contrib and
Packman packages.

Please don't get me wrong as I like the packman service but there are a
few reasons why I don't think packman is the way to go (at least IMHO).
First it's a separate developer group. I have no access to it just with
my opensuse identity. I don't like to have a separate infrastructure for
that type of packages. This just sounds wrong to me.
Another one is that I'm unsure about the quality of the packages there
(please note that I have the same concerns for Contrib currently). There
is no bugtracker, there is no way to easily contribute (I think).

- packages dropped from Factory just because they haven't been touched
upstream for years (but are still doing their job well) (e.g. abook)

If they work and have a package maintainer looking after it I see
no reason why they should not be in Factory.

Same here, but there are packages which were dropped just for that
reason. Therefore I asked the Factory people if we should just bring
them back into Factory?

Apart from the three categories you mentioned there is a fourth
category, namely many packages of both obscure and fairly
mainstream software which seems to be in Contrib for no good
reason at all. And what is really bad about this is that some of
these packages are of awful quality and badly maintained,
something that could have been prevented by proper review and the
high quality standards applied to Factory. This alone is for me
the decisive argument why Contrib should just die.

My categories were not exclusive and anyway I fully agree with you. From
quickly checking some Contrib stuff there are some really bad examples.
Seems quite some stuff slipped through the review process too easily.

I would like to hear from Factory maintainers what their thoughts are
about the above types of packages. Probably nothing changed here and
therefore the statement "everything should enter Factory" is not realistic?

I believe it is realistic, the few packages that fit your first
and third category could easily be moved to a separate repo or
Packman respectively while the rest should just be migrated to
Factory. It would raise the quality of the distribution and be a
benefit to users.

Again agreed. We should really work on bringing the useful stuff into
Factory but I see leftovers where it might make sense to still have them
available. I'm wondering where "be moved to a separate repo" is
different from redefining what Contrib is?

So we have two categories of packages left which cannot be in
Factory, firstly software which is inherently insecure and
cannot be maintained in Factory and secondly software which is
volatile in nature. Do you have some examples or even numbers for
these categories? Even rather nightmarish stuff like phpMyAdmin
seems to be in Factory now and for the second category only
chromium comes to mind which even Debian has allowed to be
included in their latest stable release.

While I can agree with almost all of the above I still think
Contrib should be obsoleted and replaced by separate repositories
for a number of reasons:

* both categories are very different and rather insecure packages
should be clearly identifiable
* the "Contrib" is for such a redefined purpose very misleading
* such an obsoletion makes sure the large number of packages which
are in there for no reason will be moved to a proper
development repo and from there into Factory

Given that there is even a large enough number of packages for both
categories how about creating something like openSUSE:*:Volatile
and openSUSE:*:Insecure instead of Contrib?
Guido Berhoerster
To unsubscribe, e-mail: opensuse-project+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-project+help@xxxxxxxxxxxx

< Previous Next >