[maemo-developers] Ask for removal of some packages from Extras Fremantle repository

From: Marius Vollmer marius.vollmer at nokia.com
Date: Tue Mar 23 09:53:04 EET 2010
ext Attila Csipa <maemo at csipa.in.rs> writes:

> On Tuesday 23 March 2010 01:00:19 Gary Birkett wrote:
>> why doesn't HAM allow somebody to use a later provided version from Beniots
>> own repository?
>> there would be nothing wrong with leaving everything existing and Beniot
>> can get what he wants by still offering users the opportunity to add his
>> own repository and gain later updates and we retain the polished solid
>> versions available for regular users.
>
> There was some mention of this previously. Basically, the issue is 
> authenticity (package hijacking avoidance, whether intentional or not), and/or 
> generic cross-repository FUBAR avoidance. Imagine what would happen during the 
> Qt4.5 to Qt4.6 transition if we had external repositories containing apps 
> referencing Qt.

Yes, exactly.  I originally put the "package domain" system into HAM as
an attempt to reduce the 'repository mess'.  Of course, this prevents
packages to legitimally move from one domain to another, which is
sometimes wanted.

The domain system is not secure: any package can modify it, you just
have to convince users to install that package.  But that modification
at least does not happen by accident.

Now, we might end up with a "domain mess" when people really start
creating their own domains.  I hope that that does not happen, but if it
does, we should probably improve how HAM determines which domain
dominates which other domains, and maybe even involve the user in this.


This is my neutral view as a provider of some of the technology.  Of
course, the maemo.org Extras repository is The One, and I think it is
really really bad when people move their packages out of it.  As has
been said, a good reaction of the maemo.org community would be to just
take over maintainership of those packages, and essentially copy them
back into maemo.org Extras whenever a new version appears out there.

This should not be a lot of work if the package doesn't need significant
improvement to pass the QA criteria, and if it does, it can just be left
out if nobody wants to do that work.

That would be a win for everybody: Benoit can publish his versions in
his own repository/domain and doesn't have to bother with the maemo.org
processes.  Still, his packages end up in maemo.org Extras, and might
even be improved in the process.
More information about the maemo-developers mailing list