#1562 drop exception to proven packager access to packages
Closed None Opened 3 years ago by zbyszek.

= phenomenon =
https://fedoraproject.org/wiki/Who_is_allowed_to_modify_which_packages
says:
As an exception, some specific packages can be closed to provenpackagers, upon FESCo approval.

This is vague, almost unused, and serves little purpose. In fact I have no idea how to discover the list of packages on this list. Let's drop this in spirit of simplifying our processes and rules.

= background analysis =
AFAIK there's just one package that is on the exception list: firefox. I certainly have no intent of committing anything to the firefox package, this ticket is not about firefox. It's about having some special-case policy that is little used, but is part of the rules. Proven packagers are allowed to commit to glibc, kernel, systemd, and pretty much anything else, and it works just fine. Singling out a few packages as exceptions doesn't seem to give any benefits.

= implementation recommendation =
Drop the exception.


afaik all of the mozilla packages have it due to trademark issues.

Trademarks are important, but they're hardly the most important thing. There are rules (recently clarified) for what reasons proven packagers are supposed to touch packages, and far going modifications which could impact trademarks are not on that list.

Replying to [comment:2 zbyszek]:

Trademarks are important, but they're hardly the most important thing. There are rules (recently clarified) for what reasons proven packagers are supposed to touch packages, and far going modifications which could impact trademarks are not on that list.

to get trademark rights to use mozilla trademarks they have to approve all patches.

spec file changes to tweak something are fine afaik, but if you actually patch the code you have to have approval from mozilla.

I just do not think it is quite as simple as you think. I am not opposed to removing teh restrictions. just pointing out why they are there,

If it's just firefox. I think removing the exception and putting a big comment block about what changes need to be done in careful consultation in the specfile itself would be best. By definition, we trust provenpackagers to be responsible with this kind of thing.

Replying to [comment:5 mattdm]:

If it's just firefox. I think removing the exception and putting a big comment block about what changes need to be done in careful consultation in the specfile itself would be best. By definition, we trust provenpackagers to be responsible with this kind of thing.

There is three packages that have it set, xulrunner, firefox and thunderbird.

It's worth noting that aside from the commit thing here there's other issues with other packages:

  • Some packages maintain their specs in their upstream SCM. (anaconda, fedora-release, others). If provenpackagers change these their changes will get overwritten the next time the package is built by the maintainers.

  • Some packages provenpackages can commit fine to (kernel, grub2, shim) but they cannot actually build them, koji will reject the build at the tagging stage.

I think we need to make sure that maintainers add a note to the top of there spec for these other cases, and perhaps agree on a tag/format to use so that anyone who runs scripts over packages could note these special cases and leave them alone. If we have that perhaps we could drop the no commit on those 3 packages.

Since we're talking about something that is in place, I'd like to take a different angle.

These packages were made exceptional for legal reasons. You say yourself that you have no intention of committing to them, so since things are already in place: what harm does the current situation do? You say it has no benefits, but there was/is a reason it was made this way: legal.

If the problem is just the lack of documentation on which packages are in this group, that easy to remedy. If the problem is that the reasons for which the exception was created no longer apply then I'm all for dropping it, but afaik this isn't really the case.

That being said, dropping this exception is one config change for pkgdb :)

I don't like the exception because it's another rule for packagers to ingest, even if only to understand that it doesn't apply to them.

to get trademark rights to use mozilla trademarks they have to approve all patches.

There are a lot of other possible changes, and even simple rebuilds for bumped dependencies.

There's other exceptions that should actually be there like shim* packages which only specific people can really touch because of the fact it needs process and specific smart card access for some of the process

Replying to [comment:10 pbrobinson]:

There's other exceptions that should actually be there like shim* packages which only specific people can really touch because of the fact it needs process and specific smart card access for some of the process

pesign-test-app, kernel, shim, grub2, fedora-release, fedora-repos, pesign all are set to use the secure-boot channel in koji and can only successfully be built by people with the correct permissions.

Putting this on agenda for Friday's meeting at 17:00 UTC

We discussed this in today's meeting and zbyszek is going to file an FPC ticket to come up with guidelines for how to handle special packages that provenpackagers shouldn't normally commit to.

https://meetbot.fedoraproject.org/fedora-meeting/2016-04-01/fesco.2016-04-01-17.00.log.html

Login to comment on this ticket.

Metadata