Need advice pertaining to GSoC proposal

James Antill james at fedoraproject.org
Thu Apr 2 04:14:32 UTC 2009 

On Thu, 2009-04-02 at 04:02 +0530, Debayan Banerjee wrote:
> 2009/4/2 James Antill <james at fedoraproject.org>:
> > On Thu, 2009-04-02 at 03:09 +0530, Debayan Banerjee wrote:
> >
> >  Indeed, there are two steps:
> >
> > 1) I trust XYZ, to get packages from.
> > 2) I install package Foo from XYZ.
> 
> And why do you trust this repository? How do you know this is to be
> trusted?

 Many different reasons, I guess, I'm not sure I could easily enumerate
them all.

>  Because it came added by default in the distro. Because it
> was mentioned on a Fedora website.

 But neither of these are true. And they are that way for a reason, if
it was a good idea to have Fedora trust one or more third part
repositories for it's users ... Fedora would have already done it by
installing the *-release packages for those repos.

> Its the same thing with my approach. Users trust Fedora hosted sites
> and they click on these 1 click install links only if its on a Fedora
> site, and hence only add official repositories.
> We need the trust-vote-ranking system only for 3rd party repositories.

 So you want to create a category of "official third party
repositories", ok fine ... go argue with FESCO for that, but I don't see
a current technical limitation here (well none that you're saying you'll
fix, anyway).

> >> http://www.cs.ucr.edu/~dperkins/projects/pk-oci/.
> >
> >  This was rejected previously due to not being secure, what has changed?
> 
> On the security aspect you have the trust-vote system for 3rd party
> repos

 Which implies that Fedora host trusted/official third party repos. ...
and that a voting system for trust is a workable idea.

> >  Why do you think votes (esp. those by users) and trust are related? I
> > guess it's not a _terrible_ hint, but it's surely not a good one either.
> >  We don't do Fedora package reviews by having everyone vote, so I don't
> > see why we'd want to do the same thing for (expandable) sets of
> > packages.
> 
> Well downloading and installing packages is something any user does
> and hence they have a right to vote for what they liked, like voting
> for water they consume. Voting for package reviews should be done by
> people who understand packaging, not by users who use them. Like
> voting for the filtration process at the water treatment plant.

 I think you are confused, voting for third party repos. is identical to
voting for multiple package reviews (even worse, because packages can
then be added after up votes).

 If what you prose was possible and implemented then given a problem of
"I want to make package X available to Fedora users" you could then do
either:

1. Try to add the package to Fedora -- unlucky now I have to pass a
review.

2. Put the package in my own repo. and propose to add the repo. to
Fedora -- lucky, now I get random users to up vote me (or just do it
myself posing as multiple users).

> >  Given that Fedora, as a distro., don't ship rpmfusion-free-release (for
> > both legal and non-legal reasons) ... why do you think they will
> > maintain this list?
> 
> To help users remain safe.

 Except if we did what you propose users would be much less safe.

>  To make users aware. And Fedora is not
> recommending any repository at all. Its the users recommending it to
> other users (reminds me of p2p). Fedora just hosts that opinion,
> nothing else.

 This is like arguing that Fedora could/should host an open bittorrent
tracker and allow users to put anything in it, but sure go ask FESCO I'm
sure they could do with a laugh.

-- 
James Antill <james at fedoraproject.org>
Fedora

More information about the fedora-devel-list mailing list