Thoughts from last meeting

[Jon Stanley]

On Fri, May 25, 2012 at 6:05 PM, Kevin Fenzi <kevin at scrye.com> wrote:

> If layered product folks start getting a flood of "I'm using version
> $foo of your product" and thats the version shipped in RHEL instead, we
> might drop this from EPEL to avoid causing undue support burden on
> them? Then again, another layered product might say "well, thats not
> what we ship, reinstall with $foo before we support you" Or another one
> might say "we think it's great that EPEL ships this so we can get more
> people testing it and providing feedback".

In reality "layered product folks" is GSS. They get *all* support
inquires, no matter how large the customer. If they have a TAM, that
TAM is in the GSS org structure. So we can safely ignore the product
management side of this (who could probably be considered the "owners"
of the layered product channels).

In my world, we carefully screen every repo that we produce (via an
internal repo building mechanism) for things that do not have the RPM
signatures that we expect (which is the RHEL prod signature, plus a
manually maintained whitelist of unsigned, EPEL, IHV, etc packages).
Anything that snuck in from EPEL (or a RHEL beta, or whatever source
it might be from, including unsigned) would be thus caught unless it
was on the whitelist. I would posit that anyone who cares about the
provenance of their packages, and knowingly consumes packages from
alternative repos (EPEL being an example of such) does the same. If
they don't, then the onus is on them to do something about it - not on
EPEL to prevent them from shooting themselves in the foot.

$0.02
-Jon