FESCo approved a request brought by rel-eng to allow a small set of packages to be checked into cvs and built only into a side tag before they pass review. Once they are building and brought up to standard, they would be put up for a full review and only then be built for the distribution. FESCo did say that there were certain review criteria that should be met before the packages could even get to that initial step of being checked into cvs and built for the side tag. They mentioned Not-from-source checks and legal issues as being in this category. We need to decide if there are additional Packaging Guidelines that need to be followed in order for the packages to pass prereview and push that recommendation to FESCo. It's also our job to document what those Guidelines are. I've made a start with this page: https://fedoraproject.org/wiki/Pre-review_Guidelines_(draft) It lists these Guidelines: * Licensing:Main * Packaging:LicensingGuidelines * Packaging:SourceURL * Packaging:Guidelines#No_inclusion_of_pre-built_binaries_or_libraries * Packaging:Guidelines#Duplication_of_system_libraries The main concerns that I think we're trying to protect against are: 1) Is it legal for Fedora to distribute this package? 2) Reducing the chances that the package is going to do something that could cause issues for the build system. A third concern that I have but depends on whether the packages in the side tag will be moved over to the dist tags or if they will be rebuilt fresh in the dist tag is: 3) Protecting the toolchain from being built with malicious code. If the packages are going to be rebuilt fresh with our existing toolchain after a full review is done, then this wouldn't be a big issue to me as the full review either will or will not catch it as normal. If the packages built into the side tag will be moved over to the dist tag (or simply added as a buildroot override for the dist tag) in order to bootstrap the new packages then I would be concerned. fnasser, do you know if you guys need bootstrapping or will things be built fresh? -Toshio
Attachment:
signature.asc
Description: OpenPGP digital signature
-- Fedora-packaging mailing list Fedora-packaging@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-packaging
