FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Development

 
 
LinkBack Thread Tools
 
Old 05-05-2008, 08:27 AM
Hans de Goede
 
Default Upstream developers mainting there own package in Fedora and nothing else

Hi All,

After the sponsor discussion we recently had, I decided I've been neglecting
the sponsoring and went and took a look at the FE-NEEDSPONSOR queue.


One of the reviews this has got me involved in is fpm2:
https://bugzilla.redhat.com/show_bug.cgi?id=444830

This review is special as the upstream developer is submitting the package, and
he has stated that for now he has no interest in doing other Fedora work.


I believe that it is good to have upstream maintain packages for there own
software, even if that is the only thing they do within Fedora, so I've
proposed the following procedure to the submitter:


--

Ok, we currently don't really have any special rules for an upstream maintainer
becoming a maintainer of its own software within Fedora, but this is definitely
something we want. So I would like to propose the following:


1 I review fpm2, you make any necessary changes etc, until I approve fpm2
2 Once fpm2 is approved you can request cvsextras membership in the account-
system and I'll sponsor you
3 Given that you're new at packaging I'll then co-maintain fpm2 with you
(mostly looking over your shoulder I'm more then busy enough as is).
4 Please refrain from touching other peoples packages as you've not been
through the normal showing the ropes process involved in sponsering
5 If you want to submit another package please let me know then we can continue
the sponsor process there.

Does this sound like a plan?

--

And now I'm wondering what others think of this and if maybe we should get some
kinda special procedure for this? This has lead to me thinking that we really
need the special new contributer group which was proposed by I believe Jesse,
which is to be a special group for new contributers which would not give them
access to anything outside their own packages.


Regards,

Hans

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 05-05-2008, 09:59 AM
Michael Schwendt
 
Default Upstream developers mainting there own package in Fedora and nothing else

On Mon, 05 May 2008 10:27:14 +0200, Hans de Goede wrote:

> Hi All,
>
> After the sponsor discussion we recently had, I decided I've been neglecting
> the sponsoring and went and took a look at the FE-NEEDSPONSOR queue.
>
> One of the reviews this has got me involved in is fpm2:
> https://bugzilla.redhat.com/show_bug.cgi?id=444830
>
> This review is special as the upstream developer is submitting the package, and
> he has stated that for now he has no interest in doing other Fedora work.
>
> I believe that it is good to have upstream maintain packages for there own
> software, even if that is the only thing they do within Fedora, so I've
> proposed the following procedure to the submitter:
>
> --
>
> Ok, we currently don't really have any special rules for an upstream maintainer
> becoming a maintainer of its own software within Fedora, but this is definitely
> something we want. So I would like to propose the following:
>
> 1 I review fpm2, you make any necessary changes etc, until I approve fpm2
> 2 Once fpm2 is approved you can request cvsextras membership in the account-
> system and I'll sponsor you
> 3 Given that you're new at packaging I'll then co-maintain fpm2 with you
> (mostly looking over your shoulder I'm more then busy enough as is).
> 4 Please refrain from touching other peoples packages as you've not been
> through the normal showing the ropes process involved in sponsering
> 5 If you want to submit another package please let me know then we can continue
> the sponsor process there.
>
> Does this sound like a plan?
>
> --
>
> And now I'm wondering what others think of this and if maybe we should get some
> kinda special procedure for this?

My first thought was "do we really need policies for everything"?

Can't we just say that the sponsors have permission to approve accounts
so new contributors may join and get productive?
If you agree with an upstream developer on maintaining a package in Fedora,
either alone or with you as co-maintainer, does it matter how you do it?

You just need to be careful with premature approval of a package+account
from somebody, who only follows Fedora Packaging guidelines reluctantly
during review and later drops the ball. With reasons that may or may not
have to do with Fedora or its bureaucracy. Then you would need to continue
maintaining the package yourself or orphan it. For temporary volunteers
it's too easy to leave the project and leave behind work, which other
people may need to pick up because of dependencies. As long as we have an
increasing collection of guidelines and policies in a Wiki that gives the
feeling of a maze, Fedora is not just another platform which you can throw
at a multi-distribution spec file that doesn't adhere to the policies.
Every package in Fedora demands interest in creating a package that
meets the guidelines and in using the Fedora-specific tools to build
and publish the rpms. It's beneficial if an upstream developer, who
wants to maintain his software in Fedora, actually uses Fedora *and*
the packaged software. Eexcept if Fedora gives reason to be unhappy,
that bears a risk.

> This has lead to me thinking that we really
> need the special new contributer group which was proposed by I believe Jesse,
> which is to be a special group for new contributers which would not give them
> access to anything outside their own packages.

Do you want to prevent accidents? Or do you want to reduce the privileges
of possibly malicious users? Any packager plays with fire if he touches
things other than his own packages. And even if new contributors in a
special group are locked down to their own packages, access to the build
system is the crucial point.

--
Fedora release 8 (Werewolf) - Linux 2.6.23.15-137.fc8
loadavg: 1.02 1.12 1.14

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 05-05-2008, 10:36 AM
Hans de Goede
 
Default Upstream developers mainting there own package in Fedora and nothing else

Michael Schwendt wrote:

On Mon, 05 May 2008 10:27:14 +0200, Hans de Goede wrote:


Hi All,

After the sponsor discussion we recently had, I decided I've been neglecting
the sponsoring and went and took a look at the FE-NEEDSPONSOR queue.


One of the reviews this has got me involved in is fpm2:
https://bugzilla.redhat.com/show_bug.cgi?id=444830

This review is special as the upstream developer is submitting the package, and
he has stated that for now he has no interest in doing other Fedora work.


I believe that it is good to have upstream maintain packages for there own
software, even if that is the only thing they do within Fedora, so I've
proposed the following procedure to the submitter:


--

Ok, we currently don't really have any special rules for an upstream maintainer
becoming a maintainer of its own software within Fedora, but this is definitely
something we want. So I would like to propose the following:


1 I review fpm2, you make any necessary changes etc, until I approve fpm2
2 Once fpm2 is approved you can request cvsextras membership in the account-
system and I'll sponsor you
3 Given that you're new at packaging I'll then co-maintain fpm2 with you
(mostly looking over your shoulder I'm more then busy enough as is).
4 Please refrain from touching other peoples packages as you've not been
through the normal showing the ropes process involved in sponsering
5 If you want to submit another package please let me know then we can continue
the sponsor process there.

Does this sound like a plan?

--

And now I'm wondering what others think of this and if maybe we should get some
kinda special procedure for this?


My first thought was "do we really need policies for everything"?



I hear you, and I agree less is more when it comes to policies.


Can't we just say that the sponsors have permission to approve accounts
so new contributors may join and get productive?


Agreed,


If you agree with an upstream developer on maintaining a package in Fedora,
either alone or with you as co-maintainer, does it matter how you do it?



Well there always is this problem of someone becoming malicious, I guess if
someone really wants to he can easily just follow the normal process, so do a
couple of new packages and a couple of reviews, but this is lowering the
barrier to entry, which I'm fine with, but I atleast want others to know about
this and shout "NOOO" before continuing with this.



You just need to be careful with premature approval of a package+account
from somebody, who only follows Fedora Packaging guidelines reluctantly
during review and later drops the ball. With reasons that may or may not
have to do with Fedora or its bureaucracy. Then you would need to continue
maintaining the package yourself or orphan it. For temporary volunteers
it's too easy to leave the project and leave behind work, which other
people may need to pick up because of dependencies. As long as we have an
increasing collection of guidelines and policies in a Wiki that gives the
feeling of a maze, Fedora is not just another platform which you can throw
at a multi-distribution spec file that doesn't adhere to the policies.
Every package in Fedora demands interest in creating a package that
meets the guidelines and in using the Fedora-specific tools to build
and publish the rpms. It's beneficial if an upstream developer, who
wants to maintain his software in Fedora, actually uses Fedora *and*
the packaged software. Eexcept if Fedora gives reason to be unhappy,
that bears a risk.



Someone leaving again soon after joining is not my biggest worry, either
someone lese picksup his/her packages, or they get orphaned and removed from
the next release.


This has lead to me thinking that we really
need the special new contributer group which was proposed by I believe Jesse,
which is to be a special group for new contributers which would not give them
access to anything outside their own packages.


Do you want to prevent accidents? Or do you want to reduce the privileges
of possibly malicious users?


Both but mainly the second (malicious users).


Any packager plays with fire if he touches
things other than his own packages. And even if new contributors in a
special group are locked down to their own packages, access to the build
system is the crucial point.



True, I forgot about a number of ways to make any package wreck havoc once in
the repo, so someone truely malicious can wreck havoc as soon as he/she can
push packages to the repo. Which really just leaves the accident problem, and
that doesn't have me worried so much.


Regards,

Hans


--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 05-05-2008, 10:56 AM
Michael Schwendt
 
Default Upstream developers mainting there own package in Fedora and nothing else

On Mon, 05 May 2008 12:36:49 +0200, Hans de Goede wrote:

> > If you agree with an upstream developer on maintaining a package in Fedora,
> > either alone or with you as co-maintainer, does it matter how you do it?
> >
>
> Well there always is this problem of someone becoming malicious, I guess if
> someone really wants to he can easily just follow the normal process, so do a
> couple of new packages and a couple of reviews, but this is lowering the
> barrier to entry, which I'm fine with, but I atleast want others to know about
> this and shout "NOOO" before continuing with this.

That belongs into my [very] old series of queries related to "sponsor
responsibilities", which is still unanswered because it's a complex
topic. All the burden is on the shoulders of the sponsors. It's completely
up to their judgement whom to sponsor, whether to interview a new
contributor prior to approval, whether to collect and compare personal
information retrieved from web search engines, whether to insist on seeing
a demonstration of packaging skills during review of several packages,
whether to serve as a proxy for a newbie packager, whether and when to
trust somebody from the other side of the world, and so on. And still a
contributor might become hostile after months and delete group-writable
files in cvs under the umbrella of a "sorry, fat fingers" excuse. Then
it's the sponsor's duty to repair the damage.

[The new FAS is not nice to sponsors either. They need to load the
full cvsextras members list and search for the account to sponsor.
Something that resulted in time-outs the last two times I did it.
For sponsors, there doesn't seem to be a list of people you sponsored.]

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 05-05-2008, 12:13 PM
Michael Schwendt
 
Default Upstream developers mainting there own package in Fedora and nothing else

On Mon, 5 May 2008 13:26:00 +0200, Xavier Lamien wrote:

> > [The new FAS is not nice to sponsors either. They need to load the
> > full cvsextras members list and search for the account to sponsor.
>
>
> Hm...sponsor or administrator of an related group should see on its welcome
> FAS's page
> members who requested sponsorship from its "todo queue".

Is that just a guess? Or are you a sponsor and have sponsored somebody
like that?

Here, that list only shows 5 new accounts and not the one I was searching
for. Further, if you click the account name to load the account details,
there is no "sponsor" button anywhere. It can only be found in the full
group view.

--
Fedora release 8 (Werewolf) - Linux 2.6.23.15-137.fc8
loadavg: 1.63 1.81 1.59

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 05-05-2008, 12:19 PM
David Timms
 
Default Upstream developers mainting there own package in Fedora and nothing else

Hans de Goede wrote:

Michael Schwendt wrote:

On Mon, 05 May 2008 10:27:14 +0200, Hans de Goede wrote:

...
This review is special as the upstream developer is submitting the
package, and he has stated that for now he has no interest in doing
other Fedora work.


Ok, we currently don't really have any special rules for an upstream
maintainer becoming a maintainer of its own software within Fedora,
but this is definitely something we want.
I think it carries huge risk. While the upstream person knows a lot
about making their development work in many places {eg from rchive, deb,
rpm}, becoming intimately familiar with Fedora's {solid} methods is time
consuming and difficult. I would anticipate that it would also lead to
such people wanting to once write the build anywhere {rpm} spec. It is
clearly simpler reviewing a spec without half of the spec being "if ...
not SUSE ..." sort of thing, and I feel eases QA effort. But I'm no jedi
packager, nor reviewer.



Any packager plays with fire if he touches
things other than his own packages. And even if new contributors in a
special group are locked down to their own packages, access to the build
system is the crucial point.


True, I forgot about a number of ways to make any package wreck havoc
once in the repo, so someone truely malicious can wreck havoc as soon as
he/she can push packages to the repo.
So a person who could cvs commit his package spec changes but little
else, could require a co-maintainer not involved with the upstream
project, and preferably a long standing trusted fedora package
maintainer to be able push to repo {any}, and perhaps even to request
builds.


Perhaps the process would be {automated by the build/push system} as:
- commit cvs change
- request build
- build system forwards the request to co-maintainers, including commit
changes.
- co-maintainer approves build if sees fit, else explain {eg you are
trying to introduce a root kit}.

- request push
- push system forwards the request to co-maintainers, including commit
changes.

- co-maintainer approves push if sees fit, else explain.

I was thinking a scratch build could be allowed, but given that the
result is accessible by others, that still leads to the potential for
gaining bad rep if/when someone takes advantage, and a tester gets done
{even if the build isn't signed and pushed}.


Is it only trust that stops any sponsored packager pumping out
accidentally or purposely bad packages ? {I forget whether there is a
formal procedure involving experienced others after the commit, build to
get a package pushed.}


DaveT.

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 05-05-2008, 01:04 PM
Michael Schwendt
 
Default Upstream developers mainting there own package in Fedora and nothing else

On Mon, 5 May 2008 14:41:42 +0200, Xavier Lamien wrote:

> > > Hm...sponsor or administrator of an related group should see on its
> > welcome
> > > FAS's page
> > > members who requested sponsorship from its "todo queue".
> >
> > Is that just a guess? Or are you a sponsor and have sponsored somebody
> > like that?
> >
>
>
> All you have to do it's to click on the requested group and then upgrade the
> user from sponsor button (only available for unapproved membership) .
> That's what i'm actually do.

And when you do that the page doesn't takes ages to load or time-out?
It doesn't scale.
The more contributors, the longer the full list of accounts.

Even if it's not an operation to perform often, it is regression compared
with the old account system (which displayed a list of unsponsored
accounts by default).

--
Fedora release 8 (Werewolf) - Linux 2.6.23.15-137.fc8
loadavg: 1.18 1.42 1.36

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 

Thread Tools




All times are GMT. The time now is 09:02 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org