Brokenness of the OpenWrt "packages" repo (was: Re: [PATCH] Revert "dbus: update to 1.13.18")
bobafetthotmail at gmail.com
Mon Apr 26 20:21:40 BST 2021
On 25/04/21 15:51, Bjørn Mork wrote:
> Rosen Penev <rosenp at gmail.com> writes:
>> Why was this sent here? dbus is in the packages feed.
> Sorry, I assumed that was obvious. I'll explain
> There is a continous push to move packages from the OpenWrt core repo to
> the "packages" repo. This would have been fine if both these repos could
> be trusted. Unfortunately, that is not the case.
> That's why this is relevant to OpenWrt. The low standards of the
> packages repo reflects back to OpenWrt. I believe core needs to take
> control over packages again, or something must be done to improve the
> quality of the packages repo.
Nobody had "control" over most non-core packages before when they were
in core repo, so nobody would review contributions that would bitrot and
eventually get closed. That's why they get moved to packages repo.
I think the only way forward is improving quality/rules/integration
tests or whatever in the package repo, "going back" would just mean the
package will never get updated in years even if it has bugs because no
core developer cares enough (or knows enough) to review and merge
> When a package cannot even be installed, like the current example, then
> how do we know what security issues other packages have? No testing and
> no review is a recipe for disaster. No one should use the packages repo
> as is.
> The bad or missing procedures adds to this. Why can anyone commit their
> own code without any review?
To be fair, there is plenty of "commit their own code without any
review" in core repo too. It's just that the developer is much more
experienced and makes less mistakes. Maybe.
> Why are squashed commits allowed? One
> commit, one change is a golden rule. There's a reason for that.
> IMHO, the problem with the packages repo is mostly about attitude. There
> is no reason to skip run testing in the first place. This buggy change
> would never have been commited by any qualified developer.
I think the main problem is about rules and enforcement of them. Are
there rules for the package repo?
Are there "super users" that can enforce them, revert the commits just
because it's not conformant to rules and scold anyone that is caught
merging bad stuff?
Can someone lose commit access if he keeps ignoring rules?
In core repo (on Github mostly) I've seen Adrian Schmutzler do this a
bit with the newer core developers. But it's a single person posting
some comment every once in a while, and there are not a lot of "new core
developers" all the time.
For packages feed it will have to require more people or at least more
> And you got a report 19 days ago that the package was uninstallable:
> The only logical thing to do would be an immediate revert. But no, the
> package is still broken. Why?
> So the question for OpenWrt core is: Do you really want to depend on the
> packages repo? Going down with it?
Depend on what? dbus and all other stuff in packages are not required by
core to work.
If they are broken, the issue is only in the package repo, which is seen
as "additional functionality", and thus less critical.
That's the way packages repos has always been seen as. It's not a "core
repo" but a "community repo", similar to Ubuntu PPA repos, or Arch's AUR
repos, or OpenSUSE's OBS repos. It's stuff maintained by third parties
that shares the same build infrastructure, and as such it may or may not
blow up in your face.
> (As you know, dbus is not the first package you've left so broken that a
> simple install was enough to find the bug. I stumbled on
> https://github.com/openwrt/packages/pull/14366 a while ago - I assume
> there are plenty more)
> openwrt-devel mailing list
> openwrt-devel at lists.openwrt.org
More information about the openwrt-devel