Mailinglist Archive: opensuse (4398 mails)

< Previous Next >
Re: [opensuse] Packages from a user and Packager perspective
  • From: Pascal Bleser <pascal.bleser@xxxxxxxxx>
  • Date: Tue, 06 Sep 2005 12:58:43 +0200
  • Message-id: <431D7663.9000600@xxxxxxxxx>
Hash: SHA1

Andreas Simon wrote:
> On Monday 05 September 2005 08:32, Andreas Girardet wrote:
> This is a great initiative.
> Two points I can't find on the wiki page.
> Bug-tracking system. I think it's important to have a bug-tracking system up
> for contributed packages. Probably we don't need to discuss the advantages of
> that.

Would definately be a requirement. There must be a convenient way to report issues with every
package. But... not that easy to implement.

> Review. I suppose many people whould not be comfortable with the prospect that
> packages from random people are committed without any review process. Quality
> is important. Thus I would like to see a group of people, people who have
> shown to have competence and commitment to review packages before they are
> commited. This is a good way to hold up a minimum of quality, ensure that
> SUSE's packaging policies are followed, etc. I see quality here more imporant
> than the number of rpms.

Exactly. I've already said (and AFAICR it's on the wiki) that not "everyone" should be able to
commit packages in there. Or if they do, they must be reviewed by experienced packagers before being
available for download.
But review is not enough, as unmaintained packages are a pain as well.
People who contribute RPMs must understand that;
- - they must follow a common style guide
- - they become the maintainer for that package and must commit to keeping it up to date and applying

> People should also do some investigation to ensure that the packages are free
> of legal issues (at least as far as a non-lawyer can tell) and known security
> issues before the packages land on the servers. Packages with known security
> issues should not be commited at all until a patch is made (or maybe put into
> some seperate repository with a big red warning).

Yep, legal issues are important as well.

> Something else. The wiki page asks about how to integrate packman. Will this
> be possible at all? Packman contains packages which are illegal in a lot of
> countries. If this project want's to stay under the umbrella of openSUSE such
> packages are surely out of this game (think of copy-protection circumvention,
> and unlicensed media codecs). Maybe it would be a good idea to have a single
> repository for this kind of packages outside of the openSUSE project.

Packman will remain Packman.

Guys, step back a bit and first spend some time thinking about all this.
I've been maintaining RPMs for quite a while (I run the suser-guru repository), I'm part of Packman
and I've had long prospective discussions with Dag Wieers of RPMforge.
There have already been a lot of ideas, most of those points discussed, but not much has happened up
to now, mostly because all of this requires a /lot/ of work.

This is *really* complex to set up, there are a lot of things to think about, policies to define,
rules to be followed, technical infrastructure to be set up.
It's great to have the momentum, the will to make something happen, but it will need some time and
long discussions to properly set that up.

So don't get rushed into something not feasible or which is already broken by design.
There are a number of people who are really experienced with all of this (yes, I humbly include
myself ;)) and, believe me, it's much more complex than what most of you think.

Nevertheless, we should keep on collecting and discussing ideas as well as potential issues.

> From the wiki:
> "Packages should be allowed from any source regardless of the packagers
> seniority or trust level."
> Are you serious? People should install random software on their systems? Trust
> is important here. If the first packages arrive which break user systems,
> delete their data, install backdoors, etc. openSUSE will suffer from it. I
> too think everyone should be able to contribute packages, including people
> who have not yet much practise with rpm (I for example am just learning how
> to do them), etc. But those packages should be reviewed by more expierinces
> and trusted people before they land in the repositores.

Yep, I agree 100%.
I've seen a lot of ugly packages already (installing into /usr/local, no dependency information, no
init scripts, no desktop files, ...) and those just don't help *anyone*.
It's also more difficult than you think to find people who are committed /into time/, not just
baking a single RPM and submitting it somewhere. Packages need maintainers.

Some might start to think "oh boy, not the same thing as Debian or Fedora, all they are doing is
Well.. Debian's packaging is working very well:
- - they have dedicated maintainers
- - they have strong policies (maybe a bit too paranoid, I agree)
- - they have very interesting build tools (e.g. for unattended builds)

Fedora also has rather well-defined policies for their package(r)s.
I don't agree with some parts of it, I even think some of their decisions are plain broken, but

Quality is definately the most important aspect, much more important than quantity.
And to me, quality is:
- - having dedicated maintainers that update their packages when new releases come out, when bugfixes
are needed
- - having experienced packagers, who know their distro, who know how to integrate it well into SUSE
- - having clearly defined policies and style guides (Novell/SUSE already have some [1], but they are
incomplete to me, at lease for our purpose, but must serve as a base)
- - for new packagers that join in or for new package submissions: reviews by experienced packagers,
cross-signing of packages


Believe me, if we don't put it up like that, it's never going to work.
Please let's discuss on that basis.

How about a dedicated mailing-list ?

- --
-o) Pascal Bleser
/\\ <pascal.bleser@xxxxxxxxx> <guru@xxxxxxxxxxx>
_\_v The more things change, the more they stay insane.
Version: GnuPG v1.4.0 (GNU/Linux)


< Previous Next >