Public SPEC files please

[Michael Schwendt]

On Fri, 5 Nov 2004 23:03:50 +0100 (CET), Dag Wieers wrote:

> On Fri, 5 Nov 2004, Alan Cox wrote:
> 
> > On Fri, Nov 05, 2004 at 06:20:42PM +0100, Michael Schwendt wrote:
> > > > How can 4 people 
> > > > work together if only 1 person can make commits ?
> > > 
> > > With "poor man's CVS" because of lack of CVS. When four people work
> > > together, everyone of them can take the most recent src.rpm and either
> > > submit patches or submit a modified src.rpm. And the others review the
> > > changes and approve the package (unless they are trusted).
> > 
> > Linux kernel works this way near enough.
> 
> Well, I didn't say it was impossible. And that question is actually a poor 
> one, I admit. It's not really a problem that only one person can commit, 
> the problem is that it is hard for the other three to follow development 
> and you need much more communication to get things done.
> 
> But let me rephrase:
> 
>  + You're only interested in the SPEC file and a few patches and the 
>    changes to that SPEC file. In the best case see all the changes that 
>    happened since the latest release and by whom.

Then by all means, get in contact with the developer and ask him to
either send you the spec or put it online. You do like e-mail. I know
that.

Suppose somebody takes your spec file and modifies it on his home
machine. After several changes he's satisfied with the changes and
creates a src.rpm. He opens a ticket at bugzilla.fedora.us and submits
the src.rpm for inclusion in the repository. Maybe he even has a web
server with a public yum repository, where he offers his selfmade
packages. Meanwhile, a different developer has packaged the same
software from scratch and submits another package, not noticing the
older request. Now what should fedora.us do in such a case? The
submitted src.rpms are still on a remote server, the packager's own
web space. Suppose reviewers have seen the first package request and
downloaded the src.rpm, to find out it seems to have severe problems
and doesn't even build. In parallel, another reviewer notices the
second submission and closes the ticket as duplicate. Now the two
packagers meet eachother.  Communication about how to proceed is
absolutely necessary at this point, since two spec files and two
packagers exist. It should be doable for them to agree on
e.g. exchanging diffs or spec files, probably even outside
bugzilla. And when they're done, one of them creates a src.rpm, the
other one posts a utilisable gpg signed approval, and that is a big
step towards getting it published. For updates, they agree to add
themselves to Cc. Or they open a meta ticket in bugzilla, which they
use for communication and a substitute of a package-specific mailing
list.

Do we really need to discuss the potential dangers of CVS commit
access for everyone?

>  + The SPEC files are inside Source packages that are located on someone's 
>    webserver (that at this time is even no longer available). Different 
>    packages are on different servers by different packagers.

Yes, of course. While everybody is permitted to open package request
tickets and provide links to packages (even binary ones!) on external
servers, all these have not been reviewed at all by someone other than
the submitter. They are not content provided by fedora.us until they
are published in the fedora.us repository. Submitted packages could
contain malicious software, or, in a less worse scenario, major bugs
which rm -rf / for people who would build them as root.

So, what are you trying to point out? That fedora.us doesn't offer CVS
commit-access for everyone? That no anonymous FTP/HTTP upload space is
offered? A CVS server at fedora.us exists, and some packages are
developed in it. But afaik it is not connected to the build system.
So, final package submission remains bugzilla-based.

And why are we discussing this when we wait for official Fedora Extras
anyway?

>  + The only way to know the existence of such a project/package is to find 
>    it in bugzilla and look for the different URLs of these packages.

Surprise, surprise. Imagine somebody derived a SuSE Linux package from
your spec file, cutting off the %changelog. You might never learn
about that.

Well, if we still had the fedora-package-announce mailing-list, you
would subscribe there and learn about new releases. And no, there is
no complete package CVS infrastructure at fedora.us. So, repeat it as
often as you like, CVS is hoped for with official (i.e. Red Hat lead)
Fedora Extras.
 
> So it's rather hard to follow the development of a single package, let 
> alone follow the different developments of many packages.

As a comparison, how would I follow pre-release development of your
packages? Or alternatively, freshrpms?
 
> At least with the kernel you take 2 trees and compare those and ou see 
> all changes. Here we're talking about at least 200 packages. (Or how many 
> are there in total now ?)

Should be more than 400.

-- 
Fedora Core release 3 (Heidelberg) - Linux 2.6.9-1.649
loadavg: 1.02 1.02 1.09