-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thu, 04 Sep 2014 17:34:57 +0200 Miroslav Suchý <msuchy@xxxxxxxxxx> wrote: > Hi, > we (the Copr team) would like to allow uploading of source RPM to > Copr. It seems that best way is to utilize dist-git [1]. Then Copr > will fetch sources and spec file from dist-git and build SRC.RPM the > same as Koji does now. And hopefuly you will be able to use fedpkg to > interact with Copr. > > I see two options available: Copr will have its own dist-git instance > or we will share dist-git together with Fedora. There are pros and > cons for both and I would like to summarize it. > > 1) Copr will have its own dist-git instance > Pros: > * no possible conflicts with Fedora > * installation of dist-git is tracken in ansible playbook in > infra.git, so it should be straightforward (although Pavol Babincak - > current maintainer of dist-git - claimed he had hard times to > reproduce the installation) Cons: > * require additional machine (Fedora currently use 8GB RAM + 2 GB > swap and 1 TB of disk) > * and additional maintance (although Pavol Babincak claims that > there are no problems with running instance, he barely need to touch > it) Pavol is one of the maintainers he is not the only one. > 2) Copr will share dist-git with Fedora > Pros: > * no maintenance of new machine > * a lot of source are same and shared in look-aside cache (less > data stored) > * technically easily possible. E.g. for package 'rpm' in Copr > project msuchy/foo we can create branch 'msuchy/foo' of dist-git > 'rpm'. There are separate ACLs for each branch, so owner of > 'msuchy/foo' branch could not affect branch 'f20' and vice versa. > Cons: > * dist-git use MD5 for checksum [2] therefore it can be practicaly > possible to find collision with existing tar.gz and upload new > version and Koji will use that file instead. I do not see this as a huge issue > * Koji currently build from given SHA of commit of dist git and > does not check if it is in correct branch. Therefore it can be > theoreticaly possible to submit to Koji build from Copr branch. Afaik > you still have to have ACL for that given branch in Fedora, so only > Fedora package maintainer can do that and he obviously have no reason > for that, but still... technicaly possible. as long as the commit is in git anyone with a koji cert (i.e. potentially anyone who has signed the fpca) can submit a build. until we have ways to make sure builds are from an appropriate branch in koji I will strongly oppose sharing of dist-git > * Legal differences - users of Copr does not have to belong to > CLA_DONE group. Can it make some problems? I do not know. yes it can, I do not think we should accept contributions from people who have not agreed to the fpca. I do not want to get into a situation where a fedora maintainer pulled commits from a copr repo into Fedora and we are being asked to remove them because they legally could not contribute. > Pavol suggested us to have our own instance. But I know there are a > lot of people from infra, legal and other team, who can add something > insightful before we start working on this. > > [1] Although I heard one voice saying we should move from home brew > code to more standardized git-annex [2] move to SHA is work in > progress https://fedorahosted.org/rel-eng/ticket/5846 > -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBAgAGBQJUCyM2AAoJEH7ltONmPFDRHbIP/jxmr3wwWGwqxju1O6XncTac DAPzSSrkUVHvDjdNVt8PCRkVPISGYheKKQubbMems6yC5WpdtncShuv8ww3Yx/+9 WE2ikaAkawi5klPgGkTY1xTBpRV+tmSLXdVd+8A7XS+G9NLpAvhqj+9/AF3F0GHJ mTFZR6jVDE+elNN1DO+fQm88yi21zUie40YPPv8E5yE629PJM4GSwIrA+oqvIBjX YJmXXvOvji9jtGV2hcB8+JVQLKi+n6zJZatRf22CPK9hYCue/AQNzzpMBcYF/nOi WIdncqU10HPFGpJi4RqEfM0mq2Fl0DSP2zfdaD6zzheJCkeDydzUwmc8fD3M8Zcr r0VmZg9l0zl/xwR5dVDlE4agwy1ijoY1PMBMBSIqNe4bUeFX6PxtcWyQk8K5QmQi r1+vrTePo5M5+d7Mw9A4y2hsyuju14VB25JqgGoEpmE4gM0KXTXwaHbISDlEt8g7 AbM8VgiuHERrSvdEMHwLViaqN/07bVMNvsO0IvMS87UDzWWRkuIRuIe4QnJhppE7 aAMOzF5JqweSz6QyVdjTIhIAdjXimakJVCFiTyy5a/8BXMub60UFekXiYmG1/hdO sSlNUnb54e0RtQqPW9/aQl2PxUyfpYy1tDGLF6K1k4TjIijSB6FIduaS2onnI8zm DtJtenHmyz/WxhG1PDUa =GXK3 -----END PGP SIGNATURE----- -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
