#300 Update the 3rd party repo policy
Closed: deferred 2 years ago by mattdm. Opened 2 years ago by aday.

The Workstation Working Group is continuing its work around 3rd party repos and, as a result, have two policy amendments that we would like to present. (These can both by found in this PR.)

1. Housekeeping

For some reason we seem to have two competing 3rd party repo policies (the first is in the FESCo docs, the second is on the workstation wiki pages). We've been unable to reconstruct the exact history of both, but it does seem that they have both been approved for use.

We are therefore proposing to merge the two policies. The version from the wiki is more comprehensive, and so makes up the majority of the new policy document. However, the logic of both policies has been retained whereever possible. The exceptions to this are:

  • The existing FESCo policy seems to specify that working groups can approve 3rd party repos containing non-free software, but not repos that contain free software. It is unclear whether this was intentional or not and, as a result, the update changes the policy to give working groups the ability to approve 3rd party repos that contain both free and non-free software.
  • The recent decision about metadata enablement is applied to all types of repos covered under the policy, including Coprs.

It should be noted that the policy on the workstation wiki covers the types of repos that can be used as the main repos of an Fedora edition, the intention being to enable working groups to provide Moby images and Flatpaks out of the box. Since these aren't 3rd party repositories, these sections have been removed from the policy. My suggestion would be to have a separate policy elsewhere to cover what can and can't be used as an edition's primary repositories.

2. App whitelisting and "diverse repos"

The workstation working group would like to be able to include certain applications from Flathub in its 3rd party repos, and we'd like to do this by maintaining our own whitelist of Flathub apps to make available.

Our understanding is that the existing FESCo policy prevents this, because of the following clause:

"Third party repositories that host diverse pieces of software (a repository like Fedora before it became a Red Hat community project, for instance) cannot be searched or enabled."

We would therefore like to change that clause, so that it reads as follows:

"Working groups and SIGs should maintain close control over the software that is made available through third party repositories, in order to prevent unvetted software being made available to Fedora users. As part of this, third party repositories should be managed in such a way that Fedora Legal can easily audit them at any time. This implies that third party repositories should be limited to including small numbers of packages, or that measures should be put in place to limit which packages are made available from a particular repository."

We believe that this change remains true to the original intent of the policy, while giving us some additional flexibility in how to implement it.


Hooray for reducing duplication!

I'm confused by this:

in order to prevent unvetted software being made available to Fedora users. As part of this, third party repositories should be managed in such a way that Fedora Legal can easily audit them at any time.

Vetted for what? Audited for what? (although the previous version is entirely opaque to me, so this is an improvement)

Can you give an example of what the Flathub case looks like? Is it that you'd pre-install flatpaks from Flathub, or just make the Flathub remote available but restrict the applications?

I'm confused by this:

in order to prevent unvetted software being made available to Fedora users. As part of this, third party repositories should be managed in such a way that Fedora Legal can easily audit them at any time.

Vetted for what? Audited for what? (although the previous version is entirely opaque to me, so this is an improvement)

I wasn't involved in the drafting of the original policies, so I can't speak to the original intent. The existing FESCo policy states the need for Fedora legal to "audit packages for legal problems" and the clause that you're citing here is attempting to restate that principle.

The vetting in this case is done by the working groups, and the policy provides details on what that should look like (currently here).

I can try and reword that sentence so it's clearer?

Can you give an example of what the Flathub case looks like? Is it that you'd pre-install flatpaks from Flathub, or just make the Flathub remote available but restrict the applications?

The idea is to make a restricted set of Flathub apps available under the existing terms of the 3rd party policy - the user would have to explicitly enable the repo in order to have those apps become available to install.

Since it affects a FESCo policy, does this really belong here? Seems to me that FESCo would be the right body to handle this.

Since it affects a FESCo policy, does this really belong here? Seems to me that FESCo would be the right body to handle this.

Agreed. I think this fits within the bounds of FESCo's authority.

No preference on the WG side with regards to whether this is decided by Council or FESCo. I posted it here beacuse previous decisions about the policy were made by council (#289 and #121), but if it's decided that FESCo should deal with it then we can move this issue over.

In case there's any uncertainty: I'm waiting for it to be confirmed that this issue should be handled by FESCo, before I pass it over to them to decide on.

@aday Yeah, this seems like it's reasonably handled by FESCo, at least where it's about the technical and procedural matters. Some aspects (like promoting other package sources over Fedora packaging) might be better here, but let's start with FESCo.

Metadata Update from @mattdm:
- Issue close_status updated to: deferred
- Issue status updated to: Closed (was: Open)

2 years ago

Login to comment on this ticket.

Metadata