So, at todays fesco meeting there was some discussion about coprs. http://meetbot.fedoraproject.org/meetbot/fedora-meeting/2013-12-04/fesco.201...
In particular some folks want to be able to ship copr repo files in the main Fedora repository. This would allow users to easily install software from there without having to discover how to enable it.
However, copr packages are not signed or mirrored currently.
So, this brings up thoughts around if we can somehow sign them, and how we could mirror them, or even if we want to go down this road at all. (as it seems like not a use case copr's was designed for anyhow).
So:
1. Do we even want to persue this?
2. If so, do we have any ideas how signing copr packages could work?
3. Mirroring doesn't seem like it would be that hard, just rsync off the repos and push them out in our regular mirroring system. Could be a fair bit of churn tho, and there's no set schedule, so we would have to decide on frequency, etc.
4. If coprs moves to being inside koji, could we at that point have a better time with these needs?
5. Perhaps we could propose some kind if pergatory type setup between coprs (experemental, just builds, may set your house on fire, may update incompatibly every day) and fedora repository packages (with all the updates guidelines, reviews, etc).
Thoughts? comments?
Possibly related to this: I wonder if copr could grow a 'meta repo' that has all the repodata of all existing coprs. Then you could just enable one thing and be able to install any coprs?
kevin
FESCo would have to change their rules prohibiting shipping non-official repo files in the main repository. Assuming that political battle is successful... I think signing must be done by the copr creator (personally). As each copr repo is independently timed and created, I'd be OK with a frequently scheduled rsync that pulls all coprs and drops them into the master mirrors, for downstreams to pick up at will. Probably in the pub/alt tree please. That will minimize the # of mirrors that are looking for them too. I think the purgatory problem is one for each copr to decide. Some may be bleeding edge, some may be backports of good stuff that changes infrequently. I'd say _no_ to the meta-repo, for exactly the above reasons, and so 2 coprs may conflict and/or compete. That's their right.
-- Matt Domsch Distinguished Engineer, Director Dell | Software Group
-----Original Message----- From: infrastructure-bounces@lists.fedoraproject.org [mailto:infrastructure-bounces@lists.fedoraproject.org] On Behalf Of Kevin Fenzi
Sent: Wednesday, December 04, 2013 2:20 PM To: infrastructure@lists.fedoraproject.org Subject: Some questions around coprs
So, at todays fesco meeting there was some discussion about coprs. http://meetbot.fedoraproject.org/meetbot/fedora-meeting/2013-12-04/fesco.201...
In particular some folks want to be able to ship copr repo files in the main Fedora repository. This would allow users to easily install software from there without having to discover how to enable it.
However, copr packages are not signed or mirrored currently.
So, this brings up thoughts around if we can somehow sign them, and how we could mirror them, or even if we want to go down this road at all.
(as it seems like not a use case copr's was designed for anyhow).
So:
1. Do we even want to persue this?
2. If so, do we have any ideas how signing copr packages could work?
3. Mirroring doesn't seem like it would be that hard, just rsync off the repos and push them out in our regular mirroring system. Could be a fair bit of churn tho, and there's no set schedule, so we would have to decide on frequency, etc.
4. If coprs moves to being inside koji, could we at that point have a better time with these needs?
5. Perhaps we could propose some kind if pergatory type setup between coprs (experemental, just builds, may set your house on fire, may update incompatibly every day) and fedora repository packages (with all the updates guidelines, reviews, etc).
Thoughts? comments?
Possibly related to this: I wonder if copr could grow a 'meta repo' that has all the repodata of all existing coprs. Then you could just enable one thing and be able to install any coprs?
kevin
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 12/04/2013 03:52 PM, Matt_Domsch@Dell.com wrote:
FESCo would have to change their rules prohibiting shipping non-official repo files in the main repository. Assuming that political battle is successful…
We (FESCo) seemed to be fairly agreed on that point (wrt COPR) if we can solve the technical issues that Kevin brought up in this thread.
I think signing must be done by the copr creator (personally).
As each copr repo is independently timed and created, I’d be OK with a frequently scheduled rsync that pulls all coprs and drops them into the master mirrors, for downstreams to pick up at will. Probably in the pub/alt tree please. That will minimize the # of mirrors that are looking for them too.
We don't want to do ALL COPRs. There will definitely be a hierarchy. At the FESCo meeting, we had the general sense that we would only want to allow a limited set that FESCo has approved be available in the main repo.
I think the purgatory problem is one for each copr to decide. Some may be bleeding edge, some may be backports of good stuff that changes infrequently.
I’d say _/no/_ to the meta-repo, for exactly the above reasons, and so 2 coprs may conflict and/or compete. That’s their right.
Exactly; hence the need for a FESCo approval to elevate one repo to "acceptable to have a repo-providing RPM in the main Fedora repositories".
-- Matt Domsch Distinguished Engineer, Director Dell | Software Group
-----Original Message----- From: infrastructure-bounces@lists.fedoraproject.org [mailto:infrastructure-bounces@lists.fedoraproject.org] On Behalf Of Kevin Fenzi
Sent: Wednesday, December 04, 2013 2:20 PM To: infrastructure@lists.fedoraproject.org Subject: Some questions around coprs
So, at todays fesco meeting there was some discussion about coprs. http://meetbot.fedoraproject.org/meetbot/fedora-meeting/2013-12-04/fesco.201...
In particular some folks want to be able to ship copr repo files in the main Fedora repository. This would allow users to easily install software from there without having to discover how to enable it.
However, copr packages are not signed or mirrored currently.
So, this brings up thoughts around if we can somehow sign them, and how we could mirror them, or even if we want to go down this road at all.
(as it seems like not a use case copr's was designed for anyhow).
So:
Do we even want to persue this?
If so, do we have any ideas how signing copr packages could
work?
- Mirroring doesn't seem like it would be that hard, just rsync
off the repos and push them out in our regular mirroring system. Could be a fair bit of churn tho, and there's no set schedule, so we would have to decide on frequency, etc.
- If coprs moves to being inside koji, could we at that point have
a better time with these needs?
- Perhaps we could propose some kind if pergatory type setup
between coprs (experemental, just builds, may set your house on fire, may update incompatibly every day) and fedora repository packages (with all the updates guidelines, reviews, etc).
Thoughts? comments?
Possibly related to this: I wonder if copr could grow a 'meta repo' that has all the repodata of all existing coprs. Then you could just enable one thing and be able to install any coprs?
kevin
_______________________________________________ infrastructure mailing list infrastructure@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/infrastructure
On 4 December 2013 13:20, Kevin Fenzi kevin@scrye.com wrote:
So, at todays fesco meeting there was some discussion about coprs.
http://meetbot.fedoraproject.org/meetbot/fedora-meeting/2013-12-04/fesco.201...
And then you run into the politics of who gets shipped and who doesn't and if you don't ship all of them then how do you add new ones that get added and ones that go away.. Too much cart, too little horse.
If copr repos do pop up, please require some sane repository name prefix scheme so I don't have to edit MM every time a new person makes a new copr repo. https://git.fedorahosted.org/cgit/mirrormanager/tree/server/mirrormanager/re... is ugly as sin as it is...
-- Matt Domsch Distinguished Engineer, Director Dell | Software Group
From: infrastructure-bounces@lists.fedoraproject.org [mailto:infrastructure-bounces@lists.fedoraproject.org] On Behalf Of Stephen John Smoogen Sent: Wednesday, December 04, 2013 3:03 PM To: Fedora Infrastructure Subject: Re: Some questions around coprs
On 4 December 2013 13:20, Kevin Fenzi <kevin@scrye.commailto:kevin@scrye.com> wrote: So, at todays fesco meeting there was some discussion about coprs. http://meetbot.fedoraproject.org/meetbot/fedora-meeting/2013-12-04/fesco.201...
And then you run into the politics of who gets shipped and who doesn't and if you don't ship all of them then how do you add new ones that get added and ones that go away.. Too much cart, too little horse.
-- Stephen J Smoogen.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 12/04/2013 04:03 PM, Stephen John Smoogen wrote:
On 4 December 2013 13:20, Kevin Fenzi <kevin@scrye.com mailto:kevin@scrye.com> wrote:
So, at todays fesco meeting there was some discussion about coprs. http://meetbot.fedoraproject.org/meetbot/fedora-meeting/2013-12-04/fesco.201...
And then you run into the politics of who gets shipped and who doesn't and if you don't ship all of them then how do you add new ones that get added and ones that go away.. Too much cart, too little horse.
As discussed at the FESCo meeting, this should be entirely up to FESCo. My proposal would be that COPR repository owners would petition FESCo (via a ticket), it would get voted on or we'd come back and tell them what changes they'd need to make before it would be accepted (e.g. "Please don't downgrade glibc", etc.)
On Wed, 2013-12-04 at 13:20 -0700, Kevin Fenzi wrote:
- If so, do we have any ideas how signing copr packages could work?
It might not be what we end up doing, but for reference, Ubuntu's PPA sign everything automatically, with an automatically generated per-PPA key:
https://help.launchpad.net/Packaging/PPA#Your_PPA.27s_key
On 12/04/2013 09:20 PM, Kevin Fenzi wrote:
- Do we even want to persue this?
Not my priority. But if somebody will be willing to do it, then you are welcome.
- If so, do we have any ideas how signing copr packages could work?
I did not investigated it yet (again not priority right now) but probably obs-sign: http://en.opensuse.org/openSUSE:Build_Service_Signer https://github.com/openSUSE/obs-sign or sigul: https://fedoraproject.org/wiki/User:Mitr
- Mirroring doesn't seem like it would be that hard, just rsync off
the repos and push them out in our regular mirroring system. Could be a fair bit of churn tho, and there's no set schedule, so we would have to decide on frequency, etc.
Copr is just starting. Not so much users right now. I do not think we *need* mirroring right now. I would put this on back burner and revisit this question in ~9 months. But again - if somebody is willing to configure it, then he is welcome.
- If coprs moves to being inside koji, could we at that point have a
better time with these needs?
I think, that it does not matter.
- Perhaps we could propose some kind if pergatory type setup between
coprs (experemental, just builds, may set your house on fire, may update incompatibly every day) and fedora repository packages (with all the updates guidelines, reviews, etc).
Whoa! That is completly Fedora.next hidden in this sentence :)
We are preparing something like this for SCL right now: https://www-dev.softwarecollections.org/en/directory/new/ Note: ^ this may or not work, this is dev instance under heavy development. It is focused on SCL only. This will import SCL from Copr and allow to go through some kind of review. And reviewed collections will get some kind of publicity. This is sooo fresh that I hesitate to anticipate anything. But if this will succeed, we can do something similar in higher scale with all projects on Copr.
Possibly related to this: I wonder if copr could grow a 'meta repo' that has all the repodata of all existing coprs. Then you could just enable one thing and be able to install any coprs?
Yes. I have in plan to provide such thing. Unfortunately according to yesterday FesCO meeting this could not be shipped in Fedora itself. At least not yet.
On Thu, 05 Dec 2013 12:52:36 +0100 Miroslav Suchý msuchy@redhat.com wrote:
On 12/04/2013 09:20 PM, Kevin Fenzi wrote:
- Do we even want to persue this?
Not my priority. But if somebody will be willing to do it, then you are welcome.
- If so, do we have any ideas how signing copr packages could work?
I did not investigated it yet (again not priority right now) but probably obs-sign: http://en.opensuse.org/openSUSE:Build_Service_Signer https://github.com/openSUSE/obs-sign or sigul: https://fedoraproject.org/wiki/User:Mitr
I've not looked closely at obs-sign, but of course if we wanted to use it, we would need to package it up, etc. There's still a lot of questions I would have around where and how the keys are stored, what it uses to determine what to sign, etc. It's really easy to get this stuff wrong. :)
Sigul has no ability I know of to sign anything without certs and passphrases (ie, there is no non interactive mode). Also, I would be very strongly against trying to add it to our existing sigul server, and I am not too trilled about the idea of running more sigul servers. ;)
- Mirroring doesn't seem like it would be that hard, just rsync off
the repos and push them out in our regular mirroring system. Could be a fair bit of churn tho, and there's no set schedule, so we would have to decide on frequency, etc.
Copr is just starting. Not so much users right now. I do not think we *need* mirroring right now. I would put this on back burner and revisit this question in ~9 months. But again - if somebody is willing to configure it, then he is welcome.
Right, but the reason this came up in the fesco meeting is if we point _ALL_ of our users at some coprs, that could well be more load than a single point can handle.
- If coprs moves to being inside koji, could we at that point have
a better time with these needs?
I think, that it does not matter.
- Perhaps we could propose some kind if pergatory type setup
between coprs (experemental, just builds, may set your house on fire, may update incompatibly every day) and fedora repository packages (with all the updates guidelines, reviews, etc).
Whoa! That is completly Fedora.next hidden in this sentence :)
:)
We are preparing something like this for SCL right now: https://www-dev.softwarecollections.org/en/directory/new/ Note: ^ this may or not work, this is dev instance under heavy development. It is focused on SCL only. This will import SCL from Copr and allow to go through some kind of review. And reviewed collections will get some kind of publicity. This is sooo fresh that I hesitate to anticipate anything. But if this will succeed, we can do something similar in higher scale with all projects on Copr.
ok. Sounds interesting.
Possibly related to this: I wonder if copr could grow a 'meta repo' that has all the repodata of all existing coprs. Then you could just enable one thing and be able to install any coprs?
Yes. I have in plan to provide such thing. Unfortunately according to yesterday FesCO meeting this could not be shipped in Fedora itself. At least not yet.
Right, but it would make people wanting to use coprs happy now. Ie, right now I have to go to the copr web interface, look around and see what things are interesting, download them and install them one by one. If I had a 'fedora-copr.repo' that contained all projects I could 'yum update' the ones I already have installed easily, or 'yum --disablerepo=* --enablerepo=fedora-copr list' to see what new packages are around. I wouldn't have to search or dig via the web interface.
Of course updating a master repo with metadata could be anoying for locking type issues (if copr a and b finish at the same time, etc).
Just a thought to make it more accessable now. ;)
kevin
infrastructure@lists.fedoraproject.org