Review queue/FESCo after the merge

Thorsten Leemhuis fedora at leemhuis.info
Wed Nov 14 21:22:55 UTC 2007


On 14.11.2007 18:54, Christopher Aillon wrote:
> Thorsten Leemhuis wrote:
> 
> We have a problem, I agree.  It's a problem I'm happy to have in a way 
> because it means we're growing fast.

Fast yes, but not that much faster as Core and Extras moved one year ago
afaics.

> Part of the problem is the review process itself. 

+1 ; the "merge-review" idea IMHO was and still is a to big target as well.

> It encompasses 
> several pages, many of the items are duplicated, etc.  It's just unruly.

+1

>   And the more packaging guidelines we have, the worse it will get. 

I think it is time to split some things into "this you must know" and
"this is written down here so you can look it up if you act in a
specific area and need guidance"

> [...]
> I think the ideal way to fix this is to have a web app that people 
> submit packages to for review.  This web app will build the SRPM in 
> koji, can check the md5sum of the tarball vs upstream, can run rpmlint, 
> make sure the various specfile tags are in the right format, etc etc etc 
> -- as many things that we can automate in the review process we should 
> automate.

Not sure if we need a "web app" for it:

 * Scratch builds are possible in koji already, but not that much
advertised.

 * "md5sum of the tarball vs upstream" -- why do we have this test at
all? A packager that wants to get malicious code into Fedora can easily
do that after the initial import by uploading a new source package into
the look-aside cache during the next update; chances are very small that
somebody will recheck the file.  On the other hand: If we want this
check then is has to be done at least partly by a human during review,
as he needs to check if the download location is a sane one and not the
packagers homepage. A simple script (which should be in a pacakge
fedora-reviewertools or something) can automate the rest for the reviewer.

 * rpmlint -- yes, of course; but the packager should do it already when
he uploads the package

 * "make sure the various specfile tags are in the right format" ->
should likely be done by rpmlint?

On the other hand having some kind of place that runs rpmlint and md5sum
checks after each package build in koji would be a really nice thing to
have.

Cu
knurd




More information about the fedora-devel-list mailing list