Review queue/FESCo after the merge
Thorsten Leemhuis
fedora at leemhuis.info
Wed Nov 14 21:22:55 UTC 2007
On 14.11.2007 18:54, Christopher Aillon wrote:
> Thorsten Leemhuis wrote:
>
> We have a problem, I agree. It's a problem I'm happy to have in a way
> because it means we're growing fast.
Fast yes, but not that much faster as Core and Extras moved one year ago
afaics.
> Part of the problem is the review process itself.
+1 ; the "merge-review" idea IMHO was and still is a to big target as well.
> It encompasses
> several pages, many of the items are duplicated, etc. It's just unruly.
+1
> And the more packaging guidelines we have, the worse it will get.
I think it is time to split some things into "this you must know" and
"this is written down here so you can look it up if you act in a
specific area and need guidance"
> [...]
> I think the ideal way to fix this is to have a web app that people
> submit packages to for review. This web app will build the SRPM in
> koji, can check the md5sum of the tarball vs upstream, can run rpmlint,
> make sure the various specfile tags are in the right format, etc etc etc
> -- as many things that we can automate in the review process we should
> automate.
Not sure if we need a "web app" for it:
* Scratch builds are possible in koji already, but not that much
advertised.
* "md5sum of the tarball vs upstream" -- why do we have this test at
all? A packager that wants to get malicious code into Fedora can easily
do that after the initial import by uploading a new source package into
the look-aside cache during the next update; chances are very small that
somebody will recheck the file. On the other hand: If we want this
check then is has to be done at least partly by a human during review,
as he needs to check if the download location is a sane one and not the
packagers homepage. A simple script (which should be in a pacakge
fedora-reviewertools or something) can automate the rest for the reviewer.
* rpmlint -- yes, of course; but the packager should do it already when
he uploads the package
* "make sure the various specfile tags are in the right format" ->
should likely be done by rpmlint?
On the other hand having some kind of place that runs rpmlint and md5sum
checks after each package build in koji would be a really nice thing to
have.
Cu
knurd
More information about the fedora-devel-list
mailing list