Upstream developers mainting there own package in Fedora and nothing else

Hans de Goede j.w.r.degoede at hhs.nl
Mon May 5 10:36:49 UTC 2008 

Michael Schwendt wrote:
> On Mon, 05 May 2008 10:27:14 +0200, Hans de Goede wrote:
> 
>> Hi All,
>>
>> After the sponsor discussion we recently had, I decided I've been neglecting 
>> the sponsoring and went and took a look at the FE-NEEDSPONSOR queue.
>>
>> One of the reviews this has got me involved in is fpm2:
>> https://bugzilla.redhat.com/show_bug.cgi?id=444830
>>
>> This review is special as the upstream developer is submitting the package, and 
>> he has stated that for now he has no interest in doing other Fedora work.
>>
>> I believe that it is good to have upstream maintain packages for there own 
>> software, even if that is the only thing they do within Fedora, so I've 
>> proposed the following procedure to the submitter:
>>
>> --
>>
>> Ok, we currently don't really have any special rules for an upstream maintainer 
>> becoming a maintainer of its own software within Fedora, but this is definitely 
>> something we want. So I would like to propose the following:
>>
>> 1 I review fpm2, you make any necessary changes etc, until I approve fpm2
>> 2 Once fpm2 is approved you can request cvsextras membership in the account-
>>    system and I'll sponsor you
>> 3 Given that you're new at packaging I'll then co-maintain fpm2 with you
>>    (mostly looking over your shoulder I'm more then busy enough as is).
>> 4 Please refrain from touching other peoples packages as you've not been
>>    through the normal showing the ropes process involved in sponsering
>> 5 If you want to submit another package please let me know then we can continue
>>    the sponsor process there.
>>
>> Does this sound like a plan?
>>
>> --
>>
>> And now I'm wondering what others think of this and if maybe we should get some 
>> kinda special procedure for this?
> 
> My first thought was "do we really need policies for everything"?
> 

I hear you, and I agree less is more when it comes to policies.

> Can't we just say that the sponsors have permission to approve accounts
> so new contributors may join and get productive?

Agreed,

> If you agree with an upstream developer on maintaining a package in Fedora,
> either alone or with you as co-maintainer, does it matter how you do it?
> 

Well there always is this problem of someone becoming malicious, I guess if 
someone really wants to he can easily just follow the normal process, so do a 
couple of new packages and a couple of reviews, but this is lowering the 
barrier to entry, which I'm fine with, but I atleast want others to know about 
this and shout "NOOO" before continuing with this.

> You just need to be careful with premature approval of a package+account
> from somebody, who only follows Fedora Packaging guidelines reluctantly
> during review and later drops the ball. With reasons that may or may not
> have to do with Fedora or its bureaucracy. Then you would need to continue
> maintaining the package yourself or orphan it. For temporary volunteers
> it's too easy to leave the project and leave behind work, which other
> people may need to pick up because of dependencies. As long as we have an
> increasing collection of guidelines and policies in a Wiki that gives the
> feeling of a maze, Fedora is not just another platform which you can throw
> at a multi-distribution spec file that doesn't adhere to the policies.
> Every package in Fedora demands interest in creating a package that
> meets the guidelines and in using the Fedora-specific tools to build
> and publish the rpms. It's beneficial if an upstream developer, who
> wants to maintain his software in Fedora, actually uses Fedora *and*
> the packaged software. Eexcept if Fedora gives reason to be unhappy,
> that bears a risk.
> 

Someone leaving again soon after joining is not my biggest worry, either 
someone lese picksup his/her packages, or they get orphaned and removed from 
the next release.

>> This has lead to me thinking that we really 
>> need the special new contributer group which was proposed by I believe Jesse, 
>> which is to be a special group for new contributers which would not give them 
>> access to anything outside their own packages.
> 
> Do you want to prevent accidents? Or do you want to reduce the privileges
> of possibly malicious users?

Both but mainly the second (malicious users).

> Any packager plays with fire if he touches
> things other than his own packages. And even if new contributors in a
> special group are locked down to their own packages, access to the build
> system is the crucial point.
> 

True, I forgot about a number of ways to make any package wreck havoc once in 
the repo, so someone truely malicious can wreck havoc as soon as he/she can 
push packages to the repo. Which really just leaves the accident problem, and 
that doesn't have me worried so much.

Regards,

Hans

More information about the fedora-devel-list mailing list