Brokenness of the OpenWrt "packages" repo (was: Re: [PATCH] Revert "dbus: update to 1.13.18")

Etienne Champetier champetier.etienne at gmail.com
Sun Apr 25 23:51:00 BST 2021


Hi Bjørn,

Le dim. 25 avr. 2021 à 09:53, Bjørn Mork <bjorn at mork.no> a écrit :
>
> Rosen Penev <rosenp at gmail.com> writes:
>
> > Why was this sent here? dbus is in the packages feed.
>
> Sorry, I assumed that was obvious.  I'll explain
>
> There is a continous push to move packages from the OpenWrt core repo to
> the "packages" repo. This would have been fine if both these repos could
> be trusted. Unfortunately, that is not the case.
>
> That's why this is relevant to OpenWrt. The low standards of the
> packages repo reflects back to OpenWrt.  I believe core needs to take
> control over packages again, or something must be done to improve the
> quality of the packages repo.

I see you are the maintainer of "conserver", why should any of the
core developers care about such a niche software and spend time run
testing it ? ;)

The packages repo was moved to Github and control was given to non
core developers to be able to scale better.
Before that it was more or less impossible to add new packages or do
modifications to them.
You have to think of OpenWrt packages as Ubuntu PPA or Fedora Copr,
each package has a separate maintainer and quality will vary,
and you can install only the packages you are interested in while
building using "./scripts/feeds install <package>"

It's not perfect, but asking the core maintainers to review an
additional 1000 packages is not going to fly.
The only improvements that scale are more automation and CI IMO, but
if you have concrete ideas I'm all ears.

> When a package cannot even be installed, like the current example, then
> how do we know what security issues other packages have?

Are you trying at the same time to complain about not run-tested
updates and possibly having packages not up to date ?
For dbus there is no maintainer
(https://github.com/openwrt/packages/blob/3ddefd7feb2014e8a45cfbb1491f4afc1a1d2d04/utils/dbus/Makefile#L18),
I would personally mark it as broken or remove it instead of making it
work again, but it means removing some other packages.

> No testing and no review is a recipe for disaster.

I believe each maintainer is usually given some time to review / test
changes on their packages,
but here there is no maintainer :(

> No one should use the packages repo as is.

1 package out of 1000 has been broken for more than 2 weeks, seems a
bit of an overreaction don't you think ?
Even if 100 packages are broken I prefer the current situation,
because we still have 900 packages working to answer everyone specific
needs

> The bad or missing procedures adds to this.  Why can anyone commit their
> own code without any review?

The occasional breakage isn't worth the extra effort of having each
commit reviewed by someone else, and nobody has offered to do that.
Not everyone has commit access, and Rosen isn't anyone, he is the top
contributor to OpenWrt packages and by far (~2400 commits),
sure he causes breakage from time to time but he is also there to fix it.

>  Why are squashed commits allowed?  One
> commit, one change is a golden rule.  There's a reason for that.

For PR only merge and rebase is enabled for multiple months now, where
do you see squashed commits ?

> IMHO, the problem with the packages repo is mostly about attitude. There
> is no reason to skip run testing in the first place.  This buggy change
> would never have been commited by any qualified developer.

No need for attacks.
Run testing is the job of the maintainer, no maintainer == no run testing
Should we let the package stay without update ? or should we just remove it ?

> And you got a report 19 days ago that the package was uninstallable:
> https://github.com/openwrt/packages/commit/0fb5d3ed2cb31a0a6076d36fb7a668cfe5328c92#commitcomment-49147445
> The only logical thing to do would be an immediate revert.  But no, the
> package is still broken.  Why?

Yes this should have been reverted immediately, everything else in
this email is overreaction to me

> So the question for OpenWrt core is: Do you really want to depend on the
> packages repo?  Going down with it?

$ find . -name Makefile | grep '^./package/' | wc -l
264
$ find . -name Makefile | grep '^./feeds/packages/' | wc -l
1039

> (As you know, dbus is not the first package you've left so broken that a
> simple install was enough to find the bug.  I stumbled on
> https://github.com/openwrt/packages/pull/14366 a while ago - I assume
> there are plenty more)

More than happy to merge broken packages removal, you can ping me,
and looking forward to your concrete proposals to improve the current
status quo ;)

Etienne

>
> Bjørn



More information about the openwrt-devel mailing list