#1421 FESCO Decision on COPR/Playground in GNOME Software
Closed None Opened 4 years ago by sgallagh.

FESCo is asked to make a decision on the following specific question:

Is it acceptable for an RPM distributed within the standard Fedora collection to provide a yum/dnf repo file with the following configuration:
The repo file points to a COPR repository. These are repositories that are already vetted by Legal and carry no potential liability.
The repo file has the setting {{{enabled=0}}}. This means that yum, dnf and other tools cannot install software from this repository without a manual step (such as {{{--enablerepo=<repo>}}}
The repo file has the setting {{{enabled_metadata=1}}}. This means that yum, dnf and other tools can* optionally retrieve the metadata from this repository to provide a list of its contents to the user.

This request is for clarification of the existing policy at https://fedoraproject.org/wiki/Third_Party_Repository_Policy which is somewhat unclear on this case (because the metadata distinction was not clear at the time it was written). Also, this request is entirely about the ''policy'' and not the technical implementation. There may be concerns about the specific implementation (such as COPR bandwidth), but those should be decided after the policy.


To be clear. I'm +1 to this clarification. Legal has already approved the contents of COPR, so we're not in any trouble there. The content is all free/libre. The set of repos will be further curated from COPR, so only software people might actually want (as opposed to a thousand nightly build systems).

To be clear, I don't think there is any vetting going on here by legal. The guidelines for copr do state: https://fedorahosted.org/copr/wiki/UserDocs#FAQ and there is a process in place to 'flag' questionable coprs for manual review.

That said, I am +1 to this.

Considering we have https://fedorahosted.org/copr/wiki/UserDocs#WhatIcanbuildinCopr documented already, I am +1 for any Copr repository file to be installed by any rpm in Fedora Collection.

Can we add a sentence with an URL pointing back to a place where one can flag questionable content in:
- the copr repo file itself as a comment that would be visible to anyone editing this file
- the gnome software dialogue used to enable the repository
?

Replying to [comment:4 zbyszek]:

Can we add a sentence with an URL pointing back to a place where one can flag questionable content in:
- the copr repo file itself as a comment that would be visible to anyone editing this file

Sounds like a good RFE against copr?

  • the gnome software dialogue used to enable the repository
    ?

Sounds like a good RFE against gnome-software?

In any case, as sgallagh mentioned this ticket is about the policy, not technical details. ;)

+1 for the proposed clarification.

Looking back at http://meetbot.fedoraproject.org/fedora-meeting/2015-03-04/fesco.2015-03-04-18.01.log.html , my only current concern is whether the (non-mirrored) COPR servers can deal with the load and bandwidth requirements.

AGREED: FESCo agrees with changes proposed in https://fedorahosted.org/fesco/ticket/1421#comment:0 (+7, 0, -1) (thozza, 18:44:34)

ACTION: sgallagh to update the Third_Party_Repos wiki page (sgallagh, 18:47:26)

Proposed rephrasing:

== Old ==
Fedora allows contributors to build rpms and host the output in some repositories on our servers. These are known as Copr repositories. Packages in these repositories are not held to the same packaging standards as packages in the Main Fedora Repositories but they are all held to the same Licensing and Legal requirements. Fedora Legal has the authority to remove packages from the Copr repositories or have problematic Copr repositories removed as Red Hat is liable for any legal issues that may arise here. Due to this relationship, we are a little more flexible in our policy for Copr repositories than other third party repositories.

  • The COPR Repositories can provide RPMS with .repo files pointing to themselves because Red Hat is the provider and assumes liability
  • RPMS with .repo files pointing to COPR repos cannot be included in the main Fedora repository per [https://fedorahosted.org/fesco/ticket/1201#comment:20 FESCo decree].

Application installers in the main Fedora repositories may search COPR repos for applications to install as long as they explicitly ask the user to enable the copr repository as noted in the introductory section.

== New ==

Fedora allows contributors to build rpms and host the output in some repositories on our servers. These are known as Copr repositories. Packages in these repositories are not held to the same packaging standards as packages in the Main Fedora Repositories but they are all held to the same Licensing and Legal requirements. Fedora Legal has the authority to remove packages from the Copr repositories or have problematic Copr repositories removed as Red Hat is liable for any legal issues that may arise here. Due to this relationship, we are a little more flexible in our policy for Copr repositories than other third party repositories.

  • The COPR Repositories can provide RPMS with .repo files pointing to themselves because Red Hat is the provider and assumes liability
  • It is permissible to ship RPM packages containing .repo files that point to COPR repositories under the following conditions per [https://fedorahosted.org/fesco/ticket/1421 FESCo decree]:
  • The repo file has the setting {{{enabled=0}}}. This means that yum, dnf and other tools cannot install software from this repository without a manual step (such as {{{--enablerepo=<repo>}}})
  • The repo file has the setting {{{enabled_metadata=1}}}. This means that yum, dnf and other tools ''can'' optionally retrieve the metadata from this repository to provide a list of its contents to the user.

Application installers in the main Fedora repositories may search COPR repos for applications to install as long as they explicitly ask the user to enable the copr repository as noted in the introductory section.

That looks good to me, except I would change:

"It is permissible to ship RPM packages containing .repo files that point to COPR repositories under the following conditions per ​FESCo decree:"

to

"It is permissible to ship RPM packages containing .repo files that point to COPR repositories in the Fedora package collection under the following conditions per ​FESCo decree:"

just to be clear about what we mean by 'ship'.

Login to comment on this ticket.

Metadata