Brokenness of the OpenWrt "packages" repo (was: Re: [PATCH] Revert "dbus: update to 1.13.18")

Alberto Bursi bobafetthotmail at
Mon Apr 26 20:21:40 BST 2021

On 25/04/21 15:51, Bjørn Mork wrote:
> Rosen Penev <rosenp at> writes:
>> Why was this sent here? dbus is in the packages feed.
> Sorry, I assumed that was obvious.  I'll explain
> There is a continous push to move packages from the OpenWrt core repo to
> the "packages" repo. This would have been fine if both these repos could
> be trusted.  Unfortunately, that is not the case.
> That's why this is relevant to OpenWrt. The low standards of the
> packages repo reflects back to OpenWrt.  I believe core needs to take
> control over packages again, or something must be done to improve the
> quality of the packages repo.

Nobody had "control" over most non-core packages before when they were 
in core repo, so nobody would review contributions that would bitrot and 
eventually get closed. That's why they get moved to packages repo.

I think the only way forward is improving quality/rules/integration 
tests or whatever in the package repo, "going back" would just mean the 
package will never get updated in years even if it has bugs because no 
core developer cares enough (or knows enough) to review and merge 

> When a package cannot even be installed, like the current example, then
> how do we know what security issues other packages have? No testing and
> no review is a recipe for disaster.  No one should use the packages repo
> as is.
> The bad or missing procedures adds to this.  Why can anyone commit their
> own code without any review?  

To be fair, there is plenty of "commit their own code without any 
review" in core repo too. It's just that the developer is much more 
experienced and makes less mistakes. Maybe.

> Why are squashed commits allowed?  One
> commit, one change is a golden rule.  There's a reason for that.
> IMHO, the problem with the packages repo is mostly about attitude. There
> is no reason to skip run testing in the first place.  This buggy change
> would never have been commited by any qualified developer.

I think the main problem is about rules and enforcement of them. Are 
there rules for the package repo?
Are there "super users" that can enforce them, revert the commits just 
because it's not conformant to rules and scold anyone that is caught 
merging bad stuff?
Can someone lose commit access if he keeps ignoring rules?

In core repo (on Github mostly) I've seen Adrian Schmutzler do this a 
bit with the newer core developers. But it's a single person posting 
some comment every once in a while, and there are not a lot of "new core 
developers" all the time.

For packages feed it will have to require more people or at least more 

> And you got a report 19 days ago that the package was uninstallable:
> The only logical thing to do would be an immediate revert.  But no, the
> package is still broken.  Why?
> So the question for OpenWrt core is: Do you really want to depend on the
> packages repo?  Going down with it?

Depend on what? dbus and all other stuff in packages are not required by 
core to work.

If they are broken, the issue is only in the package repo, which is seen 
as "additional functionality", and thus less critical.

That's the way packages repos has always been seen as. It's not a "core 
repo" but a "community repo", similar to Ubuntu PPA repos, or Arch's AUR 
repos, or OpenSUSE's OBS repos. It's stuff maintained by third parties 
that shares the same build infrastructure, and as such it may or may not 
blow up in your face.


> (As you know, dbus is not the first package you've left so broken that a
> simple install was enough to find the bug.  I stumbled on
> a while ago - I assume
> there are plenty more)
> Bjørn
> _______________________________________________
> openwrt-devel mailing list
> openwrt-devel at

More information about the openwrt-devel mailing list