"the rpm question" - summary
Lamar Owen
lowen at pari.edu
Sun Nov 9 04:29:22 UTC 2003
On Saturday 08 November 2003 07:21 pm, Warren Togami wrote:
> On Sat, 2003-11-08 at 12:12, Ingo T. Storm wrote:
> > I think it all comes down to D, which is rather about opinion and
> > directions than technical fact and touches an important question: How
> > much _Fedora.us_ is in _FedoraLegacy_? To me it looks like it's rather
> > the "Fedora.us" core people would like to stay on a successful track
> > (same rpm for everyone),
> 2) I never advocated upgrading to the same version of rpm, rpm-4.2 was
> mentioned. I mentioned that the latest upgrade to the latest versions
> rpm-4.2.1, rpm-4.1.1 and rpm-4.0.5 at rpm.org.
For what it's worth, on a purely technical point, Red Hat already did this in
the past. It is not unreasonable to get everyone up to the same spec file
behavior so that the updated RPMs can be more easily maintained. I have had
to maintain specs that build on more than one RPM version. I even had to
once do this with as old an RPM version as 2.5.
So, Ingo, there are valid technical reasons to desire the same RPM version
across the board, if it's not technically unfeasible to do so. Now, if it is
technically unfeasible, then that's a different issue. But there's no
politics involved from my view: not that there isn't from others; I can only
vouch for my own opinion.
As to the the politics, I have only two words to the 'opposing factions'
involved. "Grow Up!"
Fedora Legacy won't involve third party repositories, fancy release tags, or
any such. There is strong precedent in the package naming of previous
errata; this precedent should continue to be followed so that upgrades don't
break from a up2date 7.3 to Fedora Core (or even to RHL9, for that matter).
So the issues here are much fewer than the current maelstrom over on the
Fedora lists. The issues here are not the same as even the old fedora.us
issues, so the same guidelines don't necessarily need to apply. If anything,
the guidelines might need to be stricter.
I see:
1.) A package needs a maintainer. This is not a small task for some packages:
for instance, if a security alert happens for PostgreSQL, the erratum needs
to be for the same major version as shipped with that supported Red Hat
release. (I pick on PostgreSQL since I maintain the postgresql.org RPMset).
This task for PostgreSQL may mean a major backpatching effort (which happened
not long ago for multiple releases where the upstream developers were not
wont to backpatch). This would have to be up to the maintainer to do,
though. The maintainer must be able to exercise some authority over the
owned package; rely on the maintainer's possessiveness to keep things right
and tight, within guidelines. This is not unlike how Red Hat works
internally, from what I've gathered in four years of beta testing.
2.) Guidelines for how to go about the above. When does it become
unreasonable to stay with the same major version, backpatching security
fixes? Red Hat did this; this is very resource intensive and is expensive,
which is why we are in the whole Fedora Legacy situation in the first place.
3.) There needs to be a good way to get the updates out to users. This
implies a trust infrastructure between developers, as well as a mirror
structure and secure uploading mechanisms. A simple way to do this is with
scp using RSA authentication. The upload needs to be source only -- the
buildfarm needs to build and sign with the Fedora Legacy key in an automated
(or semi automated for a little extra security -- I have some ideas how to
make this secure and not exploitable -- the biggest thing is that the actual
build farm must not be directly connected to the Internet) fashion. This
simplifies the trust relationship somewhat, since the binaries are all signed
with a single key (or at least a few keys, instead of one for each
maintainer). This boils down to the question 'How seriously is Fedora
Legacy going to take itself?' -- that is, is FL going to be a volunteer
business with a security reputation equal to Red Hat's (I personally think
this is unreasonable: the only way I'm going to use community-built errata is
by rebuilding from source RPM!). (although I break my own rules with the
Aurora project, but that's about to change...) Or to put it much more
bluntly: I wouldn't even install the PostgreSQL binaries that I myself upload
on my production machines. And it has nothing to do with the fact that they
are not signed.
4.) There needs to be some governance. I propose a steering committee based
on merit: if you put up the bandwidth, you get a say in the governance, etc.
This is the way the PostgreSQL steering committee works. Membership is by
invitation of the existing steering committee. Those who do the work get a
say in how the work is done, basically. This would be the way rogue
maintainers would be reigned in. (revoke their RSA auth keys, no login).
There must be checks and balances all the way around. A dictatorship is
worse than anarchy, but neither are very productive.
5.) If FL is to be taken seriously by people like me (IT Directors), then the
petty squabbling must stop. Now.
--
Lamar Owen
Director of Information Technology
Pisgah Astronomical Research Institute
1 PARI Drive
Rosman, NC 28772
(828)862-5554
www.pari.edu
More information about the fedora-legacy-list
mailing list