On Sat, Sep 6, 2014 at 5:07 PM, Dennis Gilmore <dennis@xxxxxxxx> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On Thu, 04 Sep 2014 17:34:57 +0200 > Miroslav Suchý <msuchy@xxxxxxxxxx> wrote: > >> Hi, >> we (the Copr team) would like to allow uploading of source RPM to >> Copr. It seems that best way is to utilize dist-git [1]. Then Copr >> will fetch sources and spec file from dist-git and build SRC.RPM the >> same as Koji does now. And hopefuly you will be able to use fedpkg to >> interact with Copr. >> >> I see two options available: Copr will have its own dist-git instance >> or we will share dist-git together with Fedora. There are pros and >> cons for both and I would like to summarize it. >> >> 1) Copr will have its own dist-git instance >> Pros: >> * no possible conflicts with Fedora >> * installation of dist-git is tracken in ansible playbook in >> infra.git, so it should be straightforward (although Pavol Babincak - >> current maintainer of dist-git - claimed he had hard times to >> reproduce the installation) Cons: >> * require additional machine (Fedora currently use 8GB RAM + 2 GB >> swap and 1 TB of disk) >> * and additional maintance (although Pavol Babincak claims that >> there are no problems with running instance, he barely need to touch >> it) > Pavol is one of the maintainers he is not the only one. > > >> 2) Copr will share dist-git with Fedora >> Pros: >> * no maintenance of new machine >> * a lot of source are same and shared in look-aside cache (less >> data stored) >> * technically easily possible. E.g. for package 'rpm' in Copr >> project msuchy/foo we can create branch 'msuchy/foo' of dist-git >> 'rpm'. There are separate ACLs for each branch, so owner of >> 'msuchy/foo' branch could not affect branch 'f20' and vice versa. >> Cons: >> * dist-git use MD5 for checksum [2] therefore it can be practicaly >> possible to find collision with existing tar.gz and upload new >> version and Koji will use that file instead. > I do not see this as a huge issue > >> * Koji currently build from given SHA of commit of dist git and >> does not check if it is in correct branch. Therefore it can be >> theoreticaly possible to submit to Koji build from Copr branch. Afaik >> you still have to have ACL for that given branch in Fedora, so only >> Fedora package maintainer can do that and he obviously have no reason >> for that, but still... technicaly possible. > as long as the commit is in git anyone with a koji cert (i.e. > potentially anyone who has signed the fpca) can submit a build. until > we have ways to make sure builds are from an appropriate branch in koji > I will strongly oppose sharing of dist-git > > >> * Legal differences - users of Copr does not have to belong to >> CLA_DONE group. Can it make some problems? I do not know. > yes it can, I do not think we should accept contributions from people > who have not agreed to the fpca. I do not want to get into a situation > where a fedora maintainer pulled commits from a copr repo into Fedora > and we are being asked to remove them because they legally could not > contribute. Huh? What makes one legally not eligible to contribute? Just not signing the fpca? How is that different from someone that submits a patch via bugzilla / mail / whatever? I don't think people check whether those patch submitters have signed the fpca and neither do I think they should. -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
