[Fedora-packaging] Pre-review Gudelines

Toshio Kuratomi a.badger at gmail.com
Fri May 8 20:06:24 UTC 2009 

FESCo approved a request brought by rel-eng to allow a small set of
packages to be checked into cvs and built only into a side tag before
they pass review.  Once they are building and brought up to standard,
they would be put up for a full review and only then be built for the
distribution.

FESCo did say that there were certain review criteria that should be met
before the packages could even get to that initial step of being checked
into cvs and built for the side tag.  They mentioned Not-from-source
checks and legal issues as being in this category.

We need to decide if there are additional Packaging Guidelines that need
to be followed in order for the packages to pass prereview and push that
recommendation to FESCo.  It's also our job to document what those
Guidelines are.  I've made a start with this page:

https://fedoraproject.org/wiki/Pre-review_Guidelines_(draft)

It lists these Guidelines:

* Licensing:Main
* Packaging:LicensingGuidelines
* Packaging:SourceURL
* Packaging:Guidelines#No_inclusion_of_pre-built_binaries_or_libraries
* Packaging:Guidelines#Duplication_of_system_libraries

The main concerns that I think we're trying to protect against are:

1) Is it legal for Fedora to distribute this package?
2) Reducing the chances that the package is going to do something that
could cause issues for the build system.

A third concern that I have but depends on whether the packages in the
side tag will be moved over to the dist tags or if they will be rebuilt
fresh in the dist tag is:

3) Protecting the toolchain from being built with malicious code.

If the packages are going to be rebuilt fresh with our existing
toolchain after a full review is done, then this wouldn't be a big issue
to me as the full review either will or will not catch it as normal.  If
the packages built into the side tag will be moved over to the dist tag
(or simply added as a buildroot override for the dist tag) in order to
bootstrap the new packages then I would be concerned.

fnasser, do you know if you guys need bootstrapping or will things be
built fresh?

-Toshio

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/fedora-packaging/attachments/20090508/ad1c7e7c/attachment.sig>

More information about the Fedora-packaging mailing list