Brokenness of the OpenWrt "packages" repo (was: Re: [PATCH] Revert "dbus: update to 1.13.18")

Bjørn Mork bjorn at
Sun Apr 25 14:51:15 BST 2021

Rosen Penev <rosenp at> writes:

> Why was this sent here? dbus is in the packages feed.

Sorry, I assumed that was obvious.  I'll explain

There is a continous push to move packages from the OpenWrt core repo to
the "packages" repo. This would have been fine if both these repos could
be trusted.  Unfortunately, that is not the case.

That's why this is relevant to OpenWrt. The low standards of the
packages repo reflects back to OpenWrt.  I believe core needs to take
control over packages again, or something must be done to improve the
quality of the packages repo.

When a package cannot even be installed, like the current example, then
how do we know what security issues other packages have? No testing and
no review is a recipe for disaster.  No one should use the packages repo
as is.

The bad or missing procedures adds to this.  Why can anyone commit their
own code without any review?  Why are squashed commits allowed?  One
commit, one change is a golden rule.  There's a reason for that.

IMHO, the problem with the packages repo is mostly about attitude. There
is no reason to skip run testing in the first place.  This buggy change
would never have been commited by any qualified developer.

And you got a report 19 days ago that the package was uninstallable:
The only logical thing to do would be an immediate revert.  But no, the
package is still broken.  Why?

So the question for OpenWrt core is: Do you really want to depend on the
packages repo?  Going down with it?

(As you know, dbus is not the first package you've left so broken that a
simple install was enough to find the bug.  I stumbled on a while ago - I assume
there are plenty more)


More information about the openwrt-devel mailing list