clement is a yum repository?

Toshio Kuratomi a.badger at gmail.com
Thu Dec 21 23:22:40 UTC 2006 

On Thu, 2006-12-21 at 16:41 -0500, Jean-Marc Pigeon wrote:
> From my stand point the repos.d/clement
> 	is an anchor and it is our duty (as application designer)
> 	to provide legacy RPM. When doing a release we provide 
> 	clement's RPM from RH7.3 to FC6 and including Centos, RHEL
> 	and mandriva... 
Sure.  So on the clement website and download page you need to provide a
repo file or rpm that will install a yum repo.  This should not be in
the Fedora package.  Putting it in the Fedora is detrimental on a number
of counts.  Here's some off the top of my head:

1) Legality: Having a repo file that points to livna.org, for instance,
could put Fedora at risk of being sued for contributory infringement.

2) Accountability: Fedora cannot guarantee anything about the quality of
packages or the ability of the packages at the remote repository to work
with Fedora.  Just the existence of the repo file can break upgrades on
the users system.

3) Time: We're mostly volunteers.  Who wants to periodically check all
the repo files provided by any package to ensure they're disabled and
point to a repo that's only distributing legal items?

4) Usability of yum: What happens if 10% of our packages feel they need
to give yum an upstream repo file?  Suddenly, there's 100+ repo files
that yum has to deal with.  If they're all enabled then yum has to
download primary.xml files from all of them.

> 	tcpdump on FC6 is outdated, to have a reference
> 	to "enabled" in repos.d and reach a master site to grab 
> 	the latest version. would be nice... (up to me to enable
> 	this specific repos.d). 

This is not a good idea.  One job of a distribution is to produce a set
of packages that work together.  Giving the user a repos.d file to
download packages direct from upstream that replace the Fedora packages
interferes with this.  Another job is fixing security holes.  If we've
patched a hole locally but upstream hasn't made a release with the fix,
users of the upstream package are going to be running less secure code.

> 	Once again, adding this anchor within repos.d is not
> 	conceptually different than the "Source:" information 
> 	within spec file.

It is different.  Any file in repos.d is "live".  Even if it is
disabled, a user can run yum upgrade --enablerepo=buggykernel and get
the packages listed there.  Source: Just tells you where to look.

-Toshio
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-extras-list/attachments/20061221/4104993e/attachment.sig>

More information about the fedora-extras-list mailing list