Re: Announcing creation of Fedora Source-git SIG

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, Apr 14, 2021 at 10:45:23AM +0200, Tomas Tomecek wrote:
> Good morning, I'd like to announce the creation of Fedora Source-git SIG:
> 
> https://fedoraproject.org/wiki/SIGs/Source-git
> 
> Our main goal in the SIG right now is to establish a development
> workflow for Fedora Linux packages using repositories with sources and
> upstream history (this is what we call source-git), instead of just
> distribution files with links to tarballs (dist-git).
> 
> Please head to the SIG wiki page to learn more about our proposed MVP.
> We are looking for maintainers of Fedora Linux packages who'd be
> interested in being early adopters and give us feedback during the
> development process. You don't need to do any coding unless you want
> to :)

We might be interested in trialling it with some of the virt packages.

I'm wondering about the scope of this statement from the wiki page
above:

  "Whatever we produce here, it MUST NOT violate Fedora Packaging 
   Guidelines (we should strive to change them if needed)."

I can certainly understand the intent behind this when dealing with
legally restricted content. eg don't allow impls of patented algorithms
that are blocked from dist-git.

In terms of scope I can reasonably audit the source for current git
master or a specific git tag to ensure legal compliance.

I can't reasonably audit the entire source-git history of the project
back to day 1 though, to make sure the git repo has never had legally
restricted content at any point in the past 20 years of its life.

IOW, I'd hope that in terms of FPG compliance, we only need to consider
the specific tag/branch that's being used to populate dist-git and can
ignore history.

This could still potentially mean that source-git is a complication for
the packages where we have to re-create the tarballs after removing
patented crypto. Will legal allow it to remain in source git, but
require it to be purged when src-git syncs to dist-git or something
like that ?

Overall this does seem to imply though that if Fedora hosts src-git
repos with upstream history itself, then it is potentially opening
a new liability that it hasn't had before. If we're going to host
src-git on a Fedora namespace on gitlab.com though, then its someone
else's problem to worry about, and Fedora only needs to worry about
what's synced to dist-git for the actual RPMs builds.


Aside from legal, I also wonder about things like binary blobs or
bundled libraries. These are relatively common to see in upstream
git repos, even if they don't make it into the release tarballs that
Fedora traditionally consumes.

Hopefully the requirement to comply with Fedora Pakaging Guidelines
will only apply to files in src-git that actually get used for
Fedora builds, and not stuff that exists but is skipped/ignored ?

Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux