Upstream developers mainting there own package in Fedora and nothing else

Mon May 5 09:59:13 UTC 2008

On Mon, 05 May 2008 10:27:14 +0200, Hans de Goede wrote:

> Hi All,
> 
> After the sponsor discussion we recently had, I decided I've been neglecting 
> the sponsoring and went and took a look at the FE-NEEDSPONSOR queue.
> 
> One of the reviews this has got me involved in is fpm2:
> https://bugzilla.redhat.com/show_bug.cgi?id=444830
> 
> This review is special as the upstream developer is submitting the package, and 
> he has stated that for now he has no interest in doing other Fedora work.
> 
> I believe that it is good to have upstream maintain packages for there own 
> software, even if that is the only thing they do within Fedora, so I've 
> proposed the following procedure to the submitter:
> 
> --
> 
> Ok, we currently don't really have any special rules for an upstream maintainer 
> becoming a maintainer of its own software within Fedora, but this is definitely 
> something we want. So I would like to propose the following:
> 
> 1 I review fpm2, you make any necessary changes etc, until I approve fpm2
> 2 Once fpm2 is approved you can request cvsextras membership in the account-
>    system and I'll sponsor you
> 3 Given that you're new at packaging I'll then co-maintain fpm2 with you
>    (mostly looking over your shoulder I'm more then busy enough as is).
> 4 Please refrain from touching other peoples packages as you've not been
>    through the normal showing the ropes process involved in sponsering
> 5 If you want to submit another package please let me know then we can continue
>    the sponsor process there.
> 
> Does this sound like a plan?
> 
> --
> 
> And now I'm wondering what others think of this and if maybe we should get some 
> kinda special procedure for this?

My first thought was "do we really need policies for everything"?

Can't we just say that the sponsors have permission to approve accounts
so new contributors may join and get productive?
If you agree with an upstream developer on maintaining a package in Fedora,
either alone or with you as co-maintainer, does it matter how you do it?

You just need to be careful with premature approval of a package+account
from somebody, who only follows Fedora Packaging guidelines reluctantly
during review and later drops the ball. With reasons that may or may not
have to do with Fedora or its bureaucracy. Then you would need to continue
maintaining the package yourself or orphan it. For temporary volunteers
it's too easy to leave the project and leave behind work, which other
people may need to pick up because of dependencies. As long as we have an
increasing collection of guidelines and policies in a Wiki that gives the
feeling of a maze, Fedora is not just another platform which you can throw
at a multi-distribution spec file that doesn't adhere to the policies.
Every package in Fedora demands interest in creating a package that
meets the guidelines and in using the Fedora-specific tools to build
and publish the rpms. It's beneficial if an upstream developer, who
wants to maintain his software in Fedora, actually uses Fedora *and*
the packaged software. Eexcept if Fedora gives reason to be unhappy,
that bears a risk.

> This has lead to me thinking that we really 
> need the special new contributer group which was proposed by I believe Jesse, 
> which is to be a special group for new contributers which would not give them 
> access to anything outside their own packages.

Do you want to prevent accidents? Or do you want to reduce the privileges
of possibly malicious users? Any packager plays with fire if he touches
things other than his own packages. And even if new contributors in a
special group are locked down to their own packages, access to the build
system is the crucial point.

-- 
Fedora release 8 (Werewolf) - Linux 2.6.23.15-137.fc8
loadavg: 1.02 1.12 1.14