On 23 September 2015 at 10:31, Matthew Miller <mattdm(a)fedoraproject.org> wrote:
On Tue, Sep 22, 2015 at 08:45:32PM -0700, Karsten Wade wrote:
> AIUI, the concern is that what is labeled/supported by the CentOS
> Project as 'CentOS' needs to go through the CentOS Project QA system.
> We simply cannot blindly accept builds from outside of the CentOS
> builders just on say-so. (Compare to RPMfusion et al -- putting that
> repo in as a default for Fedora users is more than a legal issue, it's
> a QA/test/build/sign/release issue.)
I can understand that with "out of the family" sources, but with Red
Hat now sponsoring CentOS as well as Fedora.... can we build a better
bridge of trust, here?
I thought what Karsten was asking for was "Trust but Verify". They
aren't going to blindly trust RPMs for CentOS more than we are going
to blindly trust RPMs from COPRs in the build system {I think Copr is
a better analogy than RPMfusion as that gets covered in legal sauce.}.
The packages need some sort of testing which would actually be more
than what we have currently in EPEL. {ssssh I didn't say this.}
There are multiple ways they can trust but verify.
* Rebuild the package in the CBS system and get their CI to run tests
as part of that.
* Run the CI against the packages which depending on how the CI is
intertwined with Koji may be harder than it sounds.
* Help get a similar CI stood up for EPEL and trust those results.
--
Matthew Miller
<mattdm(a)fedoraproject.org>
Fedora Project Leader
_______________________________________________
epel-devel mailing list
epel-devel(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/epel-devel
--
Stephen J Smoogen.