Hi All,
At the FESCo meeting today, the following things were decided on 3rd party repositories. Some of this is specific to COPRs because those are an odd case of 3rd party repositories.
1) COPRs can provide RPMS with .repo files in them because Red Hat is the provider and assumes liability, but those cannot be included in the main Fedora repos per FESCo decree.
2) COPR repos may be searched for applications to install as long as the user is explicitly asked to enable the copr before installing packages from them.
3) General 3rd party repositories cannot be searched or enabled due to liability concerns.
(NOTE: "searched" in 2 and 3 was intended to cover searching by software. Clearly users can manually search for anything.)
4) FESCo is okay with pointing to specific free software repositories in the same way as COPR repos if they are approved by FESCo and Fedora Legal. They are not limited in the criteria that they can choose to apply.
5) For non-free sofware repositories, FESCo is not changing exisiting policy. Non-free software repositories are not allowed. Permission to make these discoverable via searching software would require a change in policy from the Fedora Board.
In short, this means products can request approval of specific 3rd party free software repositories. If approved, they can include their contents along with COPR repos in application searches a user does and offer to install them with a warning that they come from a 3rd party, non-Fedora repo. Repositories containing non-free software cannot be enabled by default or made discoverable through software.
josh
On Wed, Dec 11, 2013 at 4:21 PM, Josh Boyer jwboyer@fedoraproject.org wrote:
Hi All,
At the FESCo meeting today, the following things were decided on 3rd party repositories. Some of this is specific to COPRs because those are an odd case of 3rd party repositories.
- COPRs can provide RPMS with .repo files in them because Red Hat is
the provider and assumes liability, but those cannot be included in the main Fedora repos per FESCo decree.
- COPR repos may be searched for applications to install as long as
the user is explicitly asked to enable the copr before installing packages from them.
- General 3rd party repositories cannot be searched or enabled due to
liability concerns.
(NOTE: "searched" in 2 and 3 was intended to cover searching by software. Clearly users can manually search for anything.)
- FESCo is okay with pointing to specific free software repositories
in the same way as COPR repos if they are approved by FESCo and Fedora Legal. They are not limited in the criteria that they can choose to apply.
- For non-free sofware repositories, FESCo is not changing exisiting
policy. Non-free software repositories are not allowed. Permission to make these discoverable via searching software would require a change in policy from the Fedora Board.
In short, this means products can request approval of specific 3rd party free software repositories. If approved, they can include their contents along with COPR repos in application searches a user does and offer to install them with a warning that they come from a 3rd party, non-Fedora repo. Repositories containing non-free software cannot be enabled by default or made discoverable through software.
The FESCo ticket documenting all of this is here: https://fedorahosted.org/fesco/ticket/1201
josh
On Wed, 2013-12-11 at 16:23 -0500, Josh Boyer wrote:
On Wed, Dec 11, 2013 at 4:21 PM, Josh Boyer jwboyer@fedoraproject.org wrote:
Hi All,
At the FESCo meeting today, the following things were decided on 3rd party repositories. Some of this is specific to COPRs because those are an odd case of 3rd party repositories.
- COPRs can provide RPMS with .repo files in them because Red Hat is
the provider and assumes liability, but those cannot be included in the main Fedora repos per FESCo decree.
- COPR repos may be searched for applications to install as long as
the user is explicitly asked to enable the copr before installing packages from them.
- General 3rd party repositories cannot be searched or enabled due to
liability concerns.
(NOTE: "searched" in 2 and 3 was intended to cover searching by software. Clearly users can manually search for anything.)
- FESCo is okay with pointing to specific free software repositories
in the same way as COPR repos if they are approved by FESCo and Fedora Legal. They are not limited in the criteria that they can choose to apply.
- For non-free sofware repositories, FESCo is not changing exisiting
policy. Non-free software repositories are not allowed. Permission to make these discoverable via searching software would require a change in policy from the Fedora Board.
In short, this means products can request approval of specific 3rd party free software repositories. If approved, they can include their contents along with COPR repos in application searches a user does and offer to install them with a warning that they come from a 3rd party, non-Fedora repo. Repositories containing non-free software cannot be enabled by default or made discoverable through software.
The FESCo ticket documenting all of this is here: https://fedorahosted.org/fesco/ticket/1201
The discussion in that ticket was focused almost entirely on coprs, which are really not that relevant when it comes to third-party software.
I have no problem with the 'cannot be enabled by default' part of the last sentence, but 'cannot be made discoverable' is bordering on censorship - fesco does not get to decide what users do with their fedora systems.
Lastly: was any attempt made to invite Christian to the Fesco meeting ? I find it somewhat questionable to decide this item while the main proponent who is cc'ed in the ticket is on a plane to Lahore.
On Wed, Dec 11, 2013 at 10:41 PM, Matthias Clasen mclasen@redhat.com wrote:
On Wed, 2013-12-11 at 16:23 -0500, Josh Boyer wrote:
On Wed, Dec 11, 2013 at 4:21 PM, Josh Boyer jwboyer@fedoraproject.org wrote:
Hi All,
At the FESCo meeting today, the following things were decided on 3rd party repositories. Some of this is specific to COPRs because those are an odd case of 3rd party repositories.
- COPRs can provide RPMS with .repo files in them because Red Hat is
the provider and assumes liability, but those cannot be included in the main Fedora repos per FESCo decree.
- COPR repos may be searched for applications to install as long as
the user is explicitly asked to enable the copr before installing packages from them.
- General 3rd party repositories cannot be searched or enabled due to
liability concerns.
(NOTE: "searched" in 2 and 3 was intended to cover searching by software. Clearly users can manually search for anything.)
- FESCo is okay with pointing to specific free software repositories
in the same way as COPR repos if they are approved by FESCo and Fedora Legal. They are not limited in the criteria that they can choose to apply.
- For non-free sofware repositories, FESCo is not changing exisiting
policy. Non-free software repositories are not allowed. Permission to make these discoverable via searching software would require a change in policy from the Fedora Board.
In short, this means products can request approval of specific 3rd party free software repositories. If approved, they can include their contents along with COPR repos in application searches a user does and offer to install them with a warning that they come from a 3rd party, non-Fedora repo. Repositories containing non-free software cannot be enabled by default or made discoverable through software.
The FESCo ticket documenting all of this is here: https://fedorahosted.org/fesco/ticket/1201
The discussion in that ticket was focused almost entirely on coprs, which are really not that relevant when it comes to third-party software.
Mostly. Yesterday's meeting covered the core of the third-party repo discussion not related to COPRs.
I have no problem with the 'cannot be enabled by default' part of the last sentence, but 'cannot be made discoverable' is bordering on censorship - fesco does not get to decide what users do with their fedora systems.
They haven't decided that. They have stated that software packaged within Fedora cannot reference general 3rd party repositories that have not been approved. As I noted above, there is clearly no method to stop a _user_ from searching for anything and I don't believe FESCo would want to prevent a user from doing anything they want with their system. The restrictions in place are done to limit liability.
The non-free repo ban is less about liability and more about adhering to the Fedora project's philosophies as FESCo read them.
While not exactly unlimited freedom, overallthis is actually less restrictive than previous policies on 3rd party repos (which, in short, has been NO).
(small reminder: I am not on FESCo)
Lastly: was any attempt made to invite Christian to the Fesco meeting ? I find it somewhat questionable to decide this item while the main proponent who is cc'ed in the ticket is on a plane to Lahore.
I will take partial blame for that, as I'm the WG liaison. However, Christian has been rather busy for the past few months and has been silent on the ticket. He and I have discussed this in detail elsewhere and I believe I understand what he was pushing for. If he, or anyone else, would like further action or clarification, please let me know.
josh
On Thu, 2013-12-12 at 07:12 -0500, Josh Boyer wrote:
On Wed, Dec 11, 2013 at 10:41 PM, Matthias Clasen mclasen@redhat.com wrote:
On Wed, 2013-12-11 at 16:23 -0500, Josh Boyer wrote:
On Wed, Dec 11, 2013 at 4:21 PM, Josh Boyer jwboyer@fedoraproject.org wrote:
Hi All,
At the FESCo meeting today, the following things were decided on 3rd party repositories. Some of this is specific to COPRs because those are an odd case of 3rd party repositories.
- COPRs can provide RPMS with .repo files in them because Red Hat is
the provider and assumes liability, but those cannot be included in the main Fedora repos per FESCo decree.
- COPR repos may be searched for applications to install as long as
the user is explicitly asked to enable the copr before installing packages from them.
- General 3rd party repositories cannot be searched or enabled due to
liability concerns.
(NOTE: "searched" in 2 and 3 was intended to cover searching by software. Clearly users can manually search for anything.)
- FESCo is okay with pointing to specific free software repositories
in the same way as COPR repos if they are approved by FESCo and Fedora Legal. They are not limited in the criteria that they can choose to apply.
- For non-free sofware repositories, FESCo is not changing exisiting
policy. Non-free software repositories are not allowed. Permission to make these discoverable via searching software would require a change in policy from the Fedora Board.
In short, this means products can request approval of specific 3rd party free software repositories. If approved, they can include their contents along with COPR repos in application searches a user does and offer to install them with a warning that they come from a 3rd party, non-Fedora repo. Repositories containing non-free software cannot be enabled by default or made discoverable through software.
The FESCo ticket documenting all of this is here: https://fedorahosted.org/fesco/ticket/1201
The discussion in that ticket was focused almost entirely on coprs, which are really not that relevant when it comes to third-party software.
Mostly. Yesterday's meeting covered the core of the third-party repo discussion not related to COPRs.
I have no problem with the 'cannot be enabled by default' part of the last sentence, but 'cannot be made discoverable' is bordering on censorship - fesco does not get to decide what users do with their fedora systems.
They haven't decided that. They have stated that software packaged within Fedora cannot reference general 3rd party repositories that have not been approved. As I noted above, there is clearly no method to stop a _user_ from searching for anything and I don't believe FESCo would want to prevent a user from doing anything they want with their system. The restrictions in place are done to limit liability.
The non-free repo ban is less about liability and more about adhering to the Fedora project's philosophies as FESCo read them.
While not exactly unlimited freedom, overallthis is actually less restrictive than previous policies on 3rd party repos (which, in short, has been NO).
(small reminder: I am not on FESCo)
Lastly: was any attempt made to invite Christian to the Fesco meeting ? I find it somewhat questionable to decide this item while the main proponent who is cc'ed in the ticket is on a plane to Lahore.
I will take partial blame for that, as I'm the WG liaison. However, Christian has been rather busy for the past few months and has been silent on the ticket. He and I have discussed this in detail elsewhere and I believe I understand what he was pushing for. If he, or anyone else, would like further action or clarification, please let me know.
Thanks, Josh, I didn't know you had extensive consultation with Christian on this. I'll let Christian speak for himself when he manages to get back online.
And I guess we'll have to see how this new rule works in practice when we get to talking about concrete cases.
On Wed, Dec 11, 2013 at 4:24 PM, Elad Alfassa elad@fedoraproject.org wrote:
What is COPR?
It's a newly released platform for building personal RPM repositories. Somewhat analogous to Ubuntu's PPAs.
http://copr.fedoraproject.org/ https://fedorahosted.org/copr/ https://fedorahosted.org/copr/wiki/UserDocs#FAQ
josh
On Wed, Dec 11, 2013 at 11:40 PM, Josh Boyer jwboyer@fedoraproject.orgwrote:
On Wed, Dec 11, 2013 at 4:24 PM, Elad Alfassa elad@fedoraproject.org wrote:
What is COPR?
It's a newly released platform for building personal RPM repositories. Somewhat analogous to Ubuntu's PPAs.
http://copr.fedoraproject.org/ https://fedorahosted.org/copr/ https://fedorahosted.org/copr/wiki/UserDocs#FAQ
josh
desktop mailing list desktop@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/desktop
Interesting. We need to think and see how (and if) to integrate it with the desktop fedora experience. I wouldn't want gnome-software searching in all of these automatically. Unless we get COPRs with proper metadata (an archive of all the appdata files they contain, perhaps) and meaningful description, I can't see a way for us to implement a good enough UI to browse and enable those from within the desktop environment.
On Wed, Dec 11, 2013 at 4:50 PM, Elad Alfassa elad@fedoraproject.org wrote:
On Wed, Dec 11, 2013 at 11:40 PM, Josh Boyer jwboyer@fedoraproject.org wrote:
On Wed, Dec 11, 2013 at 4:24 PM, Elad Alfassa elad@fedoraproject.org wrote:
What is COPR?
It's a newly released platform for building personal RPM repositories. Somewhat analogous to Ubuntu's PPAs.
http://copr.fedoraproject.org/ https://fedorahosted.org/copr/ https://fedorahosted.org/copr/wiki/UserDocs#FAQ
josh
desktop mailing list desktop@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/desktop
Interesting. We need to think and see how (and if) to integrate it with the desktop fedora experience. I wouldn't want gnome-software searching in all of these automatically.
Yes, agreed. I was mostly thinking we wouldn't include them in searches.
Unless we get COPRs with proper metadata (an archive of all the appdata files they contain, perhaps) and meaningful description, I can't see a way for us to implement a good enough UI to browse and enable those from within the desktop environment.
Right. Though if there is software contained in some that is really useful, we could include specific repos from there.
Anyway, something that can be decided later.
josh
On Wed, Dec 11, 2013 at 10:55 PM, Josh Boyer jwboyer@fedoraproject.org wrote:
On Wed, Dec 11, 2013 at 4:50 PM, Elad Alfassa elad@fedoraproject.org wrote:
On Wed, Dec 11, 2013 at 11:40 PM, Josh Boyer jwboyer@fedoraproject.org wrote:
On Wed, Dec 11, 2013 at 4:24 PM, Elad Alfassa elad@fedoraproject.org wrote:
What is COPR?
It's a newly released platform for building personal RPM repositories. Somewhat analogous to Ubuntu's PPAs.
http://copr.fedoraproject.org/ https://fedorahosted.org/copr/ https://fedorahosted.org/copr/wiki/UserDocs#FAQ
josh
desktop mailing list desktop@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/desktop
Interesting. We need to think and see how (and if) to integrate it with the desktop fedora experience. I wouldn't want gnome-software searching in all of these automatically.
Yes, agreed. I was mostly thinking we wouldn't include them in searches.
Unless we get COPRs with proper metadata (an archive of all the appdata files they contain, perhaps) and meaningful description, I can't see a way for us to implement a good enough UI to browse and enable those from within the desktop environment.
Right. Though if there is software contained in some that is really useful, we could include specific repos from there.
Anyway, something that can be decided later.
Well there is nothing that can go in this repos that can't be in Fedora right? (closed source is not allowed, patented is not allowed etc.) So if anything those can be used for doing version updates but we must be careful to not break the system (what if the repo owner loses interested and stops updating it?) it would leave the users system in a kind of messy state.
drago01 wrote:
Well there is nothing that can go in this repos that can't be in Fedora right? (closed source is not allowed, patented is not allowed etc.)
AFAIK no package reviews either. I don't want to see COPR repos enabled by default.
So if anything those can be used for doing version updates but we must be careful to not break the system (what if the repo owner loses interested and stops updating it?) it would leave the users system in a kind of messy state.
Yes, no QA. This conversation shouldn't even be taking place.
On Dec 11, 2013 6:00 PM, "Michael Cronenworth" mike@cchtml.com wrote:
drago01 wrote:
Well there is nothing that can go in this repos that can't be in Fedora right? (closed source is not allowed, patented is not allowed etc.)
AFAIK no package reviews either. I don't want to see COPR repos enabled
by default.
Nor do I at the moment.
So if anything those can be used for doing version updates but we must be careful to not break the system (what if the repo owner loses interested and stops updating it?) it would leave the users system in a kind of messy state.
Yes, no QA. This conversation shouldn't even be taking place.
There is nothing preventing someone from producing a high quality package in a COPR. Dismissing it out of hand is shortsighted. It is a tool and like all tools it may solve a need in the future that we can't foresee right now. I'd rather have the conversation and know the options. Even if we don't find anything of value today, we might someday.
josh
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 12/11/2013 05:58 PM, drago01 wrote:
On Wed, Dec 11, 2013 at 10:55 PM, Josh Boyer jwboyer@fedoraproject.org wrote:
On Wed, Dec 11, 2013 at 4:50 PM, Elad Alfassa elad@fedoraproject.org wrote:
On Wed, Dec 11, 2013 at 11:40 PM, Josh Boyer jwboyer@fedoraproject.org wrote:
On Wed, Dec 11, 2013 at 4:24 PM, Elad Alfassa elad@fedoraproject.org wrote:
What is COPR?
It's a newly released platform for building personal RPM repositories. Somewhat analogous to Ubuntu's PPAs.
http://copr.fedoraproject.org/ https://fedorahosted.org/copr/ https://fedorahosted.org/copr/wiki/UserDocs#FAQ
josh -- desktop mailing list desktop@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/desktop
Interesting. We need to think and see how (and if) to integrate it with the desktop fedora experience. I wouldn't want gnome-software searching in all of these automatically.
Yes, agreed. I was mostly thinking we wouldn't include them in searches.
Unless we get COPRs with proper metadata (an archive of all the appdata files they contain, perhaps) and meaningful description, I can't see a way for us to implement a good enough UI to browse and enable those from within the desktop environment.
Right. Though if there is software contained in some that is really useful, we could include specific repos from there.
Anyway, something that can be decided later.
Well there is nothing that can go in this repos that can't be in Fedora right? (closed source is not allowed, patented is not allowed etc.)
That's not *strictly* true. Nothing can go into COPRs that wouldn't be legally permissible in Fedora, but it has fewer restrictions than Fedora proper (otherwise it would be redundant and useless).
A *non-exhaustive* list of things that could go into COPRs that wouldn't be permissible (or at least recommended) in Fedora proper:
* Packages that bundle their dependencies * Packages that provide a backwards-incompatible replacement for something in Fedora (e.g. an experimental repo for the next version of Ruby or OpenStack) * Packages that provide a version upgrade for a stable Fedora branch (e.g. a Desktop environment)
All of these things would be legally acceptable in Fedora, but are not politically or technically acceptable.
So if anything those can be used for doing version updates but we must be careful to not break the system (what if the repo owner loses interested and stops updating it?) it would leave the users system in a kind of messy state.
Yes, this is a risk that was identified at the FESCo meeting as well. The current view is that FESCo and Legal should retain the right to review any COPR before it can be made searchable by other tools (gnome-software being the representative example). So we should certainly *not* enable searching all possible COPR repos by default. However, creating a whitelist (and a UI warning that they're getting something not maintained by the Fedora Project) is probably fine.
On 12/11/2013 04:50 PM, Elad Alfassa wrote:
On Wed, Dec 11, 2013 at 11:40 PM, Josh Boyer <jwboyer@fedoraproject.org mailto:jwboyer@fedoraproject.org> wrote:
On Wed, Dec 11, 2013 at 4:24 PM, Elad Alfassa <elad@fedoraproject.org <mailto:elad@fedoraproject.org>> wrote: > > What is COPR? It's a newly released platform for building personal RPM repositories. Somewhat analogous to Ubuntu's PPAs. http://copr.fedoraproject.org/ https://fedorahosted.org/copr/ https://fedorahosted.org/copr/wiki/UserDocs#FAQ josh -- desktop mailing list desktop@lists.fedoraproject.org <mailto:desktop@lists.fedoraproject.org> https://admin.fedoraproject.org/mailman/listinfo/desktop
Interesting. We need to think and see how (and if) to integrate it with the desktop fedora experience. I wouldn't want gnome-software searching in all of these automatically. Unless we get COPRs with proper metadata (an archive of all the appdata files they contain, perhaps) and meaningful description, I can't see a way for us to implement a good enough UI to browse and enable those from within the desktop environment.
Another thing to consider wehn considering the experience when searching and downloading from COPRs is that they also may contain applications that are already in fedora, (just newer builds).
I am currently using COPR to produce builds of inkscape, gimp and corebird from the upstream master branches -- http://copr.fedoraproject.org/coprs/ryanlerch/
cheers, ryanlerch
desktop@lists.fedoraproject.org