Michael Schwendt wrote:
On Mon, 05 May 2008 10:27:14 +0200, Hans de Goede wrote:
Hi All,
After the sponsor discussion we recently had, I decided I've been neglecting
the sponsoring and went and took a look at the FE-NEEDSPONSOR queue.
One of the reviews this has got me involved in is fpm2:
https://bugzilla.redhat.com/show_bug.cgi?id=444830
This review is special as the upstream developer is submitting the package, and
he has stated that for now he has no interest in doing other Fedora work.
I believe that it is good to have upstream maintain packages for there own
software, even if that is the only thing they do within Fedora, so I've
proposed the following procedure to the submitter:
--
Ok, we currently don't really have any special rules for an upstream maintainer
becoming a maintainer of its own software within Fedora, but this is definitely
something we want. So I would like to propose the following:
1 I review fpm2, you make any necessary changes etc, until I approve fpm2
2 Once fpm2 is approved you can request cvsextras membership in the account-
system and I'll sponsor you
3 Given that you're new at packaging I'll then co-maintain fpm2 with you
(mostly looking over your shoulder I'm more then busy enough as is).
4 Please refrain from touching other peoples packages as you've not been
through the normal showing the ropes process involved in sponsering
5 If you want to submit another package please let me know then we can continue
the sponsor process there.
Does this sound like a plan?
--
And now I'm wondering what others think of this and if maybe we should get some
kinda special procedure for this?
My first thought was "do we really need policies for everything"?
I hear you, and I agree less is more when it comes to policies.
Can't we just say that the sponsors have permission to approve accounts
so new contributors may join and get productive?
Agreed,
If you agree with an upstream developer on maintaining a package in Fedora,
either alone or with you as co-maintainer, does it matter how you do it?
Well there always is this problem of someone becoming malicious, I guess if
someone really wants to he can easily just follow the normal process, so do a
couple of new packages and a couple of reviews, but this is lowering the
barrier to entry, which I'm fine with, but I atleast want others to know about
this and shout "NOOO" before continuing with this.
You just need to be careful with premature approval of a package+account
from somebody, who only follows Fedora Packaging guidelines reluctantly
during review and later drops the ball. With reasons that may or may not
have to do with Fedora or its bureaucracy. Then you would need to continue
maintaining the package yourself or orphan it. For temporary volunteers
it's too easy to leave the project and leave behind work, which other
people may need to pick up because of dependencies. As long as we have an
increasing collection of guidelines and policies in a Wiki that gives the
feeling of a maze, Fedora is not just another platform which you can throw
at a multi-distribution spec file that doesn't adhere to the policies.
Every package in Fedora demands interest in creating a package that
meets the guidelines and in using the Fedora-specific tools to build
and publish the rpms. It's beneficial if an upstream developer, who
wants to maintain his software in Fedora, actually uses Fedora *and*
the packaged software. Eexcept if Fedora gives reason to be unhappy,
that bears a risk.
Someone leaving again soon after joining is not my biggest worry, either
someone lese picksup his/her packages, or they get orphaned and removed from
the next release.
This has lead to me thinking that we really
need the special new contributer group which was proposed by I believe Jesse,
which is to be a special group for new contributers which would not give them
access to anything outside their own packages.
Do you want to prevent accidents? Or do you want to reduce the privileges
of possibly malicious users?
Both but mainly the second (malicious users).
Any packager plays with fire if he touches
things other than his own packages. And even if new contributors in a
special group are locked down to their own packages, access to the build
system is the crucial point.
True, I forgot about a number of ways to make any package wreck havoc once in
the repo, so someone truely malicious can wreck havoc as soon as he/she can
push packages to the repo. Which really just leaves the accident problem, and
that doesn't have me worried so much.
Regards,
Hans
--
fedora-devel-list mailing list
fedora-devel-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-devel-list
