As a Contributor, you should only be creating containers out of pre-existing software in the Fedora RPM repositories which adheres to the Package Naming Guidelines and Packaging Guidelines.
This is currently part of the review requirements.
For languages like NodeJS there exist projects with more than a thousand depending npm packages and they would all be needed to be provided as an RPM to fit into this requirement.
I think it's reasonable to allow non-RPM software inside a container because container already provide isolation. So apart from possible license issues, which we have to address anyway, I don't see any big issues with non-RPM software.
For some instances we may want to provide guidelines for best practices in Dockerfiles but that's the next step.
What do you think? Any other reason, besides licenses to enforce RPM?
Metadata Update from @cverna: - Issue tagged with: meeting
I think this is something we want to allow at one point, but we need to work out how to make it possible, for example currently the container build system (OSBS) does not have access to internet, so we would not be able to pull packages using npm or pip for example.
I think that biggest issue will be reproducible container builds. We will definitively need to some way how to cache contents that will get injected in to the container.(IMHO we should keep the build environment disconnected from internet).
From that stand point I think that there should be no binary policy, i.e. all binary content should be (re-)built so it respects the general packaging guidelines(LD/CFLAGS) and is linked against the Fedora provided libraries(API/ABI).
Also I think that yet another can of the worms will be tracking of what went where and what security vulnerabilities have the said content and witch containers are affected.
AFAIK the main problem is licensing, as @sheogorath pointed out. Everything that comes out of Fedora needs to be free, open source and provided under acceptable open source license.
Reproducible builds and auditing is probably the second issue, @jcajka +1.
Would be nice to have an opinion from legal and rel-eng here.
cc @spot and @mohanboddu , @puiterwijk for legal and releng inputs.
It popped on my mind if it would be more feasible to potentially create something similar to the COPR, but for layered container images(created by the users/not supported by the distribution), analogous to the dockerhub/Quay. May be we will be able to get it for free, if we will move to the quay eventually.
But question will be whatever we want to "compete" with dockerhub/quay and have resources for it?
Closing for now, we can reopen a new ticket once we have a concrete proposition on how to achieve this.
Metadata Update from @cverna: - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.