Splitting up that package repo, depending on maintenance status

I dont know specifics about this, but want to raise the question: Are all Fedora packages equal?

I heard there are many, even preinstalled in available Spins or Labs, that are very outdated @py0xc3 .

Not to speak of possible configuration or implementation issues (the build flags might be too loose etc.)

A method for auto-moving packages to “Fedora-Extras” or something would be needed.

This needs to be automated which is likely very complex.

Ideas:

• auto-detect the upstream version and the packaged version, move outdated packages
• have a ticketing system to mark packages
• use amount/time of open bugs with no response

Concerning Spins, I was referring to LXQt. Not sure if the issue has improved, but when I checked in 2023, most LXQt packages had been outdated for more than a year. The SIG does not maintain its packages but only uses what is available, since they have not the resources. Yet, we publish it as official spin without making users of the risks aware

But many spins come without an aligned/tailored default configuration like KDE or Workstation (a pre-configured firewall ain’t a “kill” criteria but remains my favorite ).

Not sure if such an approach is realistic. The reasons why packages are outdated is not always the same. There might be packages were no one had time or where the maintainer is no longer active or some pipeline was broken and no one recognized… That can be dangerous and imposes risks at the worst…

However, there are also cases when a package cannot be updated due to issues or due to dependencies, but that is still “under observation” by maintainers that ensure that no issues are related to that.

It cannot be automatically identified if and when a package is obsoleted, that’s part of the problem. Our upstream is very heterogeneous. So adding another “hop” in repos is not realistic imho. Also, having too few maintainers is already a problem. So increasing the work they have to do can increase the problem at the worst.

Unfortunately, a lot of users just want things to run and to be able to get installed… If packages are no longer available, many don’t care for the reason… and someone will then provide it elsewhere (which can worsen the actual risk on them).

My thought would have gone in the other direction:

Split the stable repo into “stable” as it is and “stable-safe” → stable is as usual, but stable-safe would only contain packages that we can ensure with a high probability that they are maintained, may it be by immediate updates, or by having someone to look after continuously it if it cannot be updated for some time for what ever reason… In short, a repo that avoids single points of failure. For example, the KDE SIG maintains packages that are effectively “observed” by the whole SIG. If something automated would fail, they would become aware of it. The same if someone forgets it: They regularly work with the packages the ship by default and align them. Both technical element and social/human elements are likely to be “corrected” by another one if any fails, given that a whole SIG has their eyes on it and the dependencies (even if just indirectly sometimes).

So users could then choose that they only want the stable-safe repo, and just change the default repo in their /etc/ → users then use either stable or stable-safe. With the latter, they ensure to get only packages with low probability of getting obsoleted or even risky.

One might add the possibility to collaborate: people who need a package but that is not yet stable-safe can engage with the maintainer and take the responsibility to regularly verify (and make a tick somewhere) if the package is still up to date. That is much less time intensive and needs less knowledge than packaging → a lot more people can engage here and invest time, and get their packages in stable-safe if they want. That might also help maintainers…

Obviously, the default should remain the normal stable repo… And then users can choose to replace stable by stable-safe. Just a thought

By the way, thanks for bringing this topic up!

[

This could be a nice approach to solving the issues raised.

I would be cautious about naming a repo “stable safe” though, as the word safe could create false impressions . Something like “fedora-core” and “fedora-extras” for the split up repos could take away that risk maybe?

Absolutely. I just used any name I had in mind when writing, in order to distinguish it from stable & relate to its purpose. The name indeed should be adjusted before implementing My interim name is indeed vulnerable to misinterpretations.

Well, it would be the opposite: it is stable but with less packages. I would not touch the name of the existing stable, as people are used to that for long. We could create a lot of confusion.

So it is the more restrictive repo that would need a name, so the new one that only contains packages that are unlikely to be affected by any single point of failure, and that is disabled by default unless users enable it.

“fedora-core” might be a possibility, but it is less focused on the purpose. Maybe “fedora-failsafe(d)” ? But that’s also easy to misinterpret… However, I am skeptics if we will get sufficient support on this Naming can be done later, in case there is interest/support to get this implemented.

I am not sure about the naming, I would say packages could fall back to “fedora-extras” all the time, and then needed to be approved to be in “fedora-core” again.

The naming… People would for sure say “what? Is the other repo now insecure?” and we say “yeah maybe”.

The push from “fedora-extras” to “fedora-core” would need to be initiated by a maintainer like a package maintainer, WG or SIG. This means all Workstation and likely also KDE Packages would be in core, but the others would be more diverse.

This manual push, for example every release (yes, this means a package may be half a year outdated, if it is abandoned after the push) would be a way it could work without complex and impractical automation tools.