Can be a realistic third way of package installing from source - that we use COPR build and repositories through the GNOME installer? It think in the future would be a great option to testing, and optional use of copr if neccessary, and similar purposes. Can be realistic solution to provide this next to RPMs, flatpacks, and as source built by copr? Can we add Copr repos to the Gnome installer UI? I just would like to hear some feedbacks. Maybe this is just an useless idea, but maybe not. TIA.
Copr is extremely untrusted and thus should be avoided in 99.9% of the cases:
- the author can build whatever they want in which way they want, not respecting Fedora Packaging Guidelines. This means the author can fully mess with your system in unpredictable ways
- contrarily to flatpaks, resulting software is not sandboxed
- there’s an access token for copr that can be very easily stolen and that’s basically the single step before the repo is compromised. A very widely adopted repository might be a valuable target for hackers with less effort involved
- a lot less scrutiny
- if a software repo is abandoned, then it’s abandoned and there’s little if any chance a maintainer steps in for keeping the orphan
In my opinion having the copr available on gnome software would expose random and unaware users to the risks above. Copr is a nice test ground, but I believe it should stay as a tool for package maintainers and very skilled power users.
Alright, seems you are right, but here is a remaining question:
- What if that I search a package, would it be a nice addition to know its status? (Actively maitained, orphan, non-yet-packaged, or such - and maybe we can inspire people to step in as package maintainer, with learning curve)?
- Can dnf provide such information?
I don’t think there’s a way to know that on COPR. Updates on COPR are enforced by the maintainer alone, so possibly even an orphaned status should be enforced by the maintainer (if the maintainer disappears, who orphanes that? On main repos this is enforced by other maintainers, I don’t see this feasible on COPR)
I believe COPR should be confined on
dnf. It is a tool for experts and not for common users. Even
dnf warns of enabling COPRs, and for a good reason. Exposing COPR on Software would lure unaware users into the dangers of installing random software from untrusted sources, very likely compromising the stability of the system. The best thing is to completely hide it from non technical users.
That said, if you want to tinker with your system and be involved in the development and package maintainership… Experiment yourself! But this is a field for technical people, and I believe such tools should be just for them.
Okay, understood. However, in general, I know Gnome software UI is not really ideal in user perspective, it has no advanced mode - it has many flaws, and missing features, that doesn’t follow the changes, improvements that already happened around package handling by dnf/flatpaks/appimage and such. The idea, that skilled user would be able to compile directly from source locally only - in automated way can be useful, IMHO, and Copr has all its features to be doable. The question is that as an option, using copr tools in a sandboxed way can be useful?
Your statement is hurtful and untrue. There are lots of people who build great packages and host them on COPR. If you feel like some packages are not good, then report them, because the rest of us are doing all we can to support COPR.
Here is one I’m involved in:
I didn’t want to offend anyone in particular, and if I did I apologise.
That said I’m going to clarify that I intended that in general you cannot trust a COPR repo. You should always double check that what you install is properly maintained. On COPR there are a lot of improperly maintained packages in the sense of package guidelines. You can get a good guess if you know the maintainer knows his stuff or you recognise a Fedora official maintainer, but in most cases people don’t know it or people don’t have enough skills to judge and assess a repo quality.
So in general telling that copr is safe is a risk for the average guy, and I believe it would be equivalent if all copr repos would suddenly be visible on gnome software.
This doesn’t mean no copr should ever be used by anyone or there aren’t people there packaging things properly.