2015-09-13 10:16 GMT+02:00 Andrew Haley <aph@xxxxxxxxxx>: > > The development model followed by much of the upstream world is > immature: it may not even be repeatable, let alone well-defined. > Shoehorning upstream's mess of bundled requirements is a very useful > service that we can provide to our users. By behaving in a mature way > we can show that free software can be more reliable (predictable, > trustworthy) than proprietary software. > That's quite the idyllic picture and it might have been true a decade ago. But, distros have lost the influence they used to have then, we're in the cloud/container era where people bundle everything ... Before, upstream used to welcome patches to unbundle libraries or we just ignored niche projects with difficult upstream. Now, it's very common that large upstream projects just tell us to get lost. Results: 1. Packages maintainers burning out in following fast-paced projects as some bundled libs have older API than latest releases, others are heavily modified, and others are added. 2. Decrease in quality as these changes rejected by upstream are not tested in their CI or by their community. Let's recognise that our QA for packages is quite weak. 3. We can't ship a lot of "critical" packages for our users that ends up relying on third party repo with far *lower* standards, or switch to other distros. 4. Bundled libs are sneaked in thanks to sloppy incoming reviews and that we usually don't review existing packages. 1 => it's important that we do not task our fellow contributors with unreasonable efforts. 2 & 3 => that's something that makes us less relevant for end users 4. => ruins completely the effort. Moreover, security team can't track CVE for these bundled libraries as they're not announced. The difficulty is here to keep the incentive of pursuing the effort, while relaxing the rules to discourage bad practices from our folks, and keep Fedora relevant to users. Long-term solution would probably be rings or alike, so we could focus on properly curated core, and have groups focusing on a small set of packages without affecting the rest of us. > I remember the time before free software distros like Fedora: it was > chaotic, with messes of bundles and contradictory dependencies from > all over the place, with no reliable tools for finding things. > Relying on the upstream ecosystem's way of sorting this out, with a > different mechanism provided depending on programming language, isn't > going to do it. > > Andrew. > The world has changed, and containers have made this problem less relevant so it's gonna stay like this for a while. Ignoring that fact would just lead to our downfall, and leave the space to alternatives with lesser quality. H. -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
