pkg: Maintainance of external software #8736
Labels
Area: pkg
Area: External package ports
Discussion: RFC
The issue/PR is used as a discussion starting point about the item of the issue/PR
State: don't stale
State: Tell state-bot to ignore this issue
Comments
miri64
added
Discussion: RFC
Any package maintainer that has to provide patches very probably uses a git repo anyways. Making that public and use it directly saves the trouble of "git format-patch", "git am", ... Using a commit hash (instead of a possibly changing tag) is necessary so every RIOT commit hash leads to the same sources being built. Using a tag for packages doesn't work here. |
|
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. If you want me to ignore this issue, please mark it with the "State: don't stale" label. Thank you for your contributions. |
stale
bot
added
the
State: stale
stale
bot
removed
the
State: stale
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I started a discussion in #8728 (comment) regarding maintainance of packages and the transparency of RIOT's packaging system where this software came from.
The problem
In my opinion forking a software into a separate Git repository controlled by the RIOT community requires a certain level of trust by our users that we did not mess with the original piece of software. Additionally, most of our packages (even the ones pointing to the original source) than pick some "random" commit to be the version of the package RIOT uses without any clear indication why this commit was chosen. This leads to very intransparent maintainance steps, when it comes to updating the package, since it isn't immediately clear, what the update includes.
My solution
I propose that we should at least for stable packages (i.e. which have releases and for which in-between these releases there is a clear maintenance process of those releases) we take the original source as upstream (yes even if that means downloading a ZIP file via HTTP;
tlsfshows this is doable) and strictly movePKG_VERSIONfrom release to release and provide hot-fixes provided in-between releases as patches. This way both the reviewer of a package update as well as our users can easily track the updates by having a look at the package's release log as well as the hot-fix patches provided.As far as I remember, our current approach grew
(1) is nowadays solved since Murdock has some caching mechanisms for both HTTP and Git sources and (2) I can sympathize with, but I don't see it as a reason for denying patches altogether.
The text was updated successfully, but these errors were encountered: