From Fedora Project Wiki

(Jot down notes from jwb)
 
(docs moved to pagure)
 
(9 intermediate revisions by 4 users not shown)
Line 1: Line 1:
{{admon/important|This page is deprecated| FESCo docs have moved to [https://docs.fedoraproject.org/en-US/fesco/ docs.fp.o] with source hosted in a [https://pagure.io/fesco/fesco-docs pagure repo]. This page is now at https://docs.fedoraproject.org/en-US/fesco/Third_Party_Repository_Policy/.}}
End users sometimes want to install software that is not provided by Fedora.  This policy lays out the extent to which Fedora Products can make it easier for end users to do that.
End users sometimes want to install software that is not provided by Fedora.  This policy lays out the extent to which Fedora Products can make it easier for end users to do that.


At the moment, FESCo policy is that no third party repositories can be configured in package managers in Fedora.  However, Fedora may ship application search software that searches for applications in some specific third party repositories in addition to the Fedora Main Repository and install packages from them.  This application search software can search for applications in these specific third party repositories as long as the user is explicitly asked to enable the repository before installing packages from them.
== Copr Repositories ==
Fedora allows contributors to build rpms and host the output in some repositories on our servers. These are known as Copr repositories. Packages in these repositories are not held to the same packaging standards as packages in the Main Fedora Repositories but they are all held to the same Licensing and Legal requirements. Fedora Legal has the authority to remove packages from the Copr repositories or have problematic Copr repositories removed as Red Hat is liable for any legal issues that may arise here. Due to this relationship, we are a little more flexible in our policy for Copr repositories than other third party repositories.
* The COPR Repositories can provide RPMS with .repo files pointing to themselves because Red Hat is the provider and assumes liability
* It is permissible to ship RPM packages containing .repo files that point to COPR repositories in the Fedora package collection under the following conditions per ​[https://fedorahosted.org/fesco/ticket/1421 FESCo decree]:
** The repo file has the setting enabled=0. This means that yum, dnf and other tools cannot install software from this repository without a manual step (such as --enablerepo=<repo>)
** The repo file has the setting enabled_metadata=1. This means that some tools can optionally retrieve the metadata from this repository to provide a list of its contents to the user. The option is not used by yum or dnf.
Application installers in the main Fedora repositories may search COPR repos for applications to install as long as they explicitly ask the user to enable the copr repository as noted in the introductory section.
== Other Repositories with only free (libre) software ==
Of course, Fedora doesn't have the only software repositories that contain free (libre) software.  There are other third party repositories that Fedora users want to use.  Since Red Hat has no relationship with these repositories as it does with Copr repositories, allowing things in Fedora to point users to these repositories would represent a new legal liability.  Fedora Legal would need to audit the packages in these repositories for legal problems both when the repositories are initially approved and on an ongoing basis (as the software in the repositories is updated, Fedora Legal would need to check that the new versions of packages in the repository remained legally okay for us to point people at.)  For this reason, the rules for including a non-Copr third party repository are more strict than for Copr repos.
* Third party repositories that host diverse pieces of software (a repository like Fedora before it became a Red Hat community project, for instance) cannot be searched or enabled.  This is because it would simply be too much work for Fedora Legal to audit such a repository.
* Repositories that enable a specific piece of free software may be pointed at in the same way as COPRs.  However, they must be approved by both FESCo and Fedora Legal first.
* Fedora Legal is not limited to simply evaluating the repositories on Legal criteria.  Because they are responsible for auditing the third party repositories on an ongoing basis, they have discretion to say no for other reasons including (but not limited to) simply not having time to take on the auditing of more repositories.
* FESCo and Fedora Legal can remove approval as well as grant it.  This is due in part to the work that ongoing maintenance represents to Fedora Legal and also to the fact that package updates in the repositories could mean we no longer want to point to them.
Application installers in the main Fedora repositories may search repositories that are currently approved under the above list as long as they explicitly ask the user to enable the third party repository as noted in the introductory section.


1) COPRs can provide RPMS with .repo files in them because Red Hat is the provider and assumes liability, but those cannot be included in the main Fedora repos per FESCo decree.
== Repositories with non-free (libre) software ==


2) COPR repos may be searched for applications to install as long as the user is explicitly asked to enable the copr before installing packages from them.
Repositories that contain non-free software may be offered to users under the following conditions:


3) General 3rd party repositories cannot be searched or enabled due to liability concerns.
* Users must be presented with clear information about Fedora provided/Libre software vs Non-free/3rd party software.


(NOTE: "searched" in 2 and 3 was intended to cover searching by software. Clearly users can manually search for anything.)
* Users must explicitly opt in to such repositories after the information is presented to them.


4) FESCo is okay with pointing to specific free software repositories in the same way as COPR repos if they are approved by FESCo and Fedora Legal. They are not limited in the criteria that they can choose to apply.
* Non free software repositories must be approved by a active Fedora Working Group (for an edition), or FESCO (for all other deliverables) and are subject to the same critera as the section above on other free software repositories (ie, permission may be revoked, repositories with many different applications will be rejected as too difficult to police, etc)


5) For non-free sofware repositories, FESCo is not changing exisiting policy. Non-free software repositories are not allowed. Permission to make these discoverable via searching software would require a change in policy from the Fedora Board.
Non-free software may not be presented to the user without explicit user enablement in any Fedora Edition or Spin


[[Category:FESCo_policy]]
[[Category:FESCo_policy]]

Latest revision as of 12:02, 29 September 2018

Important.png
This page is deprecated
FESCo docs have moved to docs.fp.o with source hosted in a pagure repo. This page is now at https://docs.fedoraproject.org/en-US/fesco/Third_Party_Repository_Policy/.


End users sometimes want to install software that is not provided by Fedora. This policy lays out the extent to which Fedora Products can make it easier for end users to do that.

At the moment, FESCo policy is that no third party repositories can be configured in package managers in Fedora. However, Fedora may ship application search software that searches for applications in some specific third party repositories in addition to the Fedora Main Repository and install packages from them. This application search software can search for applications in these specific third party repositories as long as the user is explicitly asked to enable the repository before installing packages from them.

Copr Repositories

Fedora allows contributors to build rpms and host the output in some repositories on our servers. These are known as Copr repositories. Packages in these repositories are not held to the same packaging standards as packages in the Main Fedora Repositories but they are all held to the same Licensing and Legal requirements. Fedora Legal has the authority to remove packages from the Copr repositories or have problematic Copr repositories removed as Red Hat is liable for any legal issues that may arise here. Due to this relationship, we are a little more flexible in our policy for Copr repositories than other third party repositories.

  • The COPR Repositories can provide RPMS with .repo files pointing to themselves because Red Hat is the provider and assumes liability
  • It is permissible to ship RPM packages containing .repo files that point to COPR repositories in the Fedora package collection under the following conditions per ​FESCo decree:
    • The repo file has the setting enabled=0. This means that yum, dnf and other tools cannot install software from this repository without a manual step (such as --enablerepo=<repo>)
    • The repo file has the setting enabled_metadata=1. This means that some tools can optionally retrieve the metadata from this repository to provide a list of its contents to the user. The option is not used by yum or dnf.

Application installers in the main Fedora repositories may search COPR repos for applications to install as long as they explicitly ask the user to enable the copr repository as noted in the introductory section.

Other Repositories with only free (libre) software

Of course, Fedora doesn't have the only software repositories that contain free (libre) software. There are other third party repositories that Fedora users want to use. Since Red Hat has no relationship with these repositories as it does with Copr repositories, allowing things in Fedora to point users to these repositories would represent a new legal liability. Fedora Legal would need to audit the packages in these repositories for legal problems both when the repositories are initially approved and on an ongoing basis (as the software in the repositories is updated, Fedora Legal would need to check that the new versions of packages in the repository remained legally okay for us to point people at.) For this reason, the rules for including a non-Copr third party repository are more strict than for Copr repos.

  • Third party repositories that host diverse pieces of software (a repository like Fedora before it became a Red Hat community project, for instance) cannot be searched or enabled. This is because it would simply be too much work for Fedora Legal to audit such a repository.
  • Repositories that enable a specific piece of free software may be pointed at in the same way as COPRs. However, they must be approved by both FESCo and Fedora Legal first.
  • Fedora Legal is not limited to simply evaluating the repositories on Legal criteria. Because they are responsible for auditing the third party repositories on an ongoing basis, they have discretion to say no for other reasons including (but not limited to) simply not having time to take on the auditing of more repositories.
  • FESCo and Fedora Legal can remove approval as well as grant it. This is due in part to the work that ongoing maintenance represents to Fedora Legal and also to the fact that package updates in the repositories could mean we no longer want to point to them.

Application installers in the main Fedora repositories may search repositories that are currently approved under the above list as long as they explicitly ask the user to enable the third party repository as noted in the introductory section.

Repositories with non-free (libre) software

Repositories that contain non-free software may be offered to users under the following conditions:

  • Users must be presented with clear information about Fedora provided/Libre software vs Non-free/3rd party software.
  • Users must explicitly opt in to such repositories after the information is presented to them.
  • Non free software repositories must be approved by a active Fedora Working Group (for an edition), or FESCO (for all other deliverables) and are subject to the same critera as the section above on other free software repositories (ie, permission may be revoked, repositories with many different applications will be rejected as too difficult to police, etc)

Non-free software may not be presented to the user without explicit user enablement in any Fedora Edition or Spin