[users] Clamav

Yury V. Zaytsev yury at shurup.com
Wed Jul 3 17:59:46 CEST 2013

On Wed, 2013-07-03 at 07:13 -0700, Mark D. Nagel wrote:
> Isn't the main differentiator the fact that repoforge has both
> packages
> that extend and packages that replace? EPEL only has the former IIRC.

Kind of...

The policy with respect to replacing base packages used to be pretty lax
in the past, but more recently the package base was split in several
repositories, where the basic repoforge repository isn't supposed to
replace base packages anymore (if it does, it's considered a bug).

The packages that replace base system packages were then all moved to an
optional extras repository, which is disabled by default.

At the moment, the main differentiators are (1) number and selection of
packages, (2) support for non EOL-ed ELs, (3) different policies w.r.t.
package configuration, (4) less bureaucratic procedure for including new
packages (which has a number of both up- and down- sides to it).

Therefore, I don't see EPEL as being a replacement for RepoForge,
because the goals of the projects and the implementation strategies for
these goals are quite different, or, rather, I would view RepoForge as a
complement (or an alternative) to EPEL, but given the current state of
affairs, it's prudent to consider EPEL to be a more reliable package
source than RepoForge for the package base that it covers.

> Perhaps it can be saved if Dag is willing to delegate authority to a
> trusted group, though.

We are discussing just that at the moment and the stumbling block seems
to be adding new signing keys.

Historically, Dag used to be the only person who was able to sign the
packages, and people had well-deserved trust in him. It's not very clear
on how to proceed with adding new packagers in a way that doesn't
silently delegate this trust to the new people, which, of course, is
completely unacceptable for many reasons.

I'm arguing that a public announcement on the mailing list and an
explicit installation of a new *-release package would be enough of a
warning and makes it a conscious choice of the user as to whether to
continue to trust only Dag or also accept packages signed by others.

I guess we should bring this up in a separate thread on the mailing list
to see what the actual users do think about that.

Sincerely yours,
Yury V. Zaytsev

More information about the users mailing list