pkg: Maintainance of external software #8736
Labels
Area: pkg
Area: External package ports
Discussion: RFC
The issue/PR is used as a discussion starting point about the item of the issue/PR
State: don't stale
State: Tell state-bot to ignore this issue
I started a discussion in #8728 (comment) regarding maintainance of packages and the transparency of RIOT's packaging system where this software came from.
The problem
In my opinion forking a software into a separate Git repository controlled by the RIOT community requires a certain level of trust by our users that we did not mess with the original piece of software. Additionally, most of our packages (even the ones pointing to the original source) than pick some "random" commit to be the version of the package RIOT uses without any clear indication why this commit was chosen. This leads to very intransparent maintainance steps, when it comes to updating the package, since it isn't immediately clear, what the update includes.
My solution
I propose that we should at least for stable packages (i.e. which have releases and for which in-between these releases there is a clear maintenance process of those releases) we take the original source as upstream (yes even if that means downloading a ZIP file via HTTP;
tlsf
shows this is doable) and strictly movePKG_VERSION
from release to release and provide hot-fixes provided in-between releases as patches. This way both the reviewer of a package update as well as our users can easily track the updates by having a look at the package's release log as well as the hot-fix patches provided.As far as I remember, our current approach grew
(1) is nowadays solved since Murdock has some caching mechanisms for both HTTP and Git sources and (2) I can sympathize with, but I don't see it as a reason for denying patches altogether.
The text was updated successfully, but these errors were encountered: