From herrold@swampfox.owlriver.com Tue Feb 18 10:00:58 2003 Date: Sat, 23 Nov 2002 20:49:40 -0500 From: R P Herrold To: herrold@swampfox.owlriver.com Subject: Togami-fedora-manifesto HTML dump on Sat Nov 23 20:49:39 EST 2002 http://videl.ics.hawaii.edu/~warren/fedora.html Fedora Community Proposal v0.0.1 Warren Togami November 11th, 2002 Synopsis Fedora is a community project to ease publishing and delivery of 3rd party software on the Red Hat platform. A community of package maintainers maintains a central repository which is mirrored around the world and accessible via apt-get and Synaptic. Through simple modifications, apt-get will become easier to use and more fault tolerant while more evenly distributing downloads across the mirrors. Ultimately Fedora will make Red Hat Linux much easier to use for normal people because software installation/maintenance will no longer be a daunting task. Goal: The ultimate goals of this project are three-fold: 1. Bring Red Hat software installation and package management to such a level of ease that end-users would rarely need to use a command line or edit obscure text files. The answer to most user questions should be "apt-get it from Fedora". Once things are this easy and dependable, nobody will complain that Linux is hard. 2. Create a large body of well-tested packages that integrates well into official Red Hat releases. This includes many Open Source projects as well as commercial software. These packages will also serve as a test-bed for software to be later included in the official Red Hat distribution if user demand is high. 3. Attract more volunteer package developers to the Red Hat platform in a spirit similar to the Debian community. These of course are very ambitious goals, but I assert that through a series of phases the following plan can achieve this goal. Introduction Currently software installation of anything beyond the standard Red Hat packages is simply too hard for end-users. Tarball installation is non-trivial and totally a turn off for many new users. While some 3rd parties distribute Red Hat packages, they often become out of date or have dependency problems with other non-standard packages. Long term maintenance of 3rd party packages is also less certain because they are often not steadily maintained. Also due to legal problems (DMCA, export restrictions, patents), and licensing restrictions (non-OSS software), certain types of useful and desirable software cannot be included in the official Red Hat distribution or be distributed legally from America. Current repositories like FreshRPMS largely solves many of these problems, unfortunately it does not have a mechanism to encourage users to use mirrors. Fedora will use the following aspects in order to improve this situation: 1. Fedora packages are polished to work well on this platform and with other official Fedora packages. Fedora maintainers volunteer to take care of a set of packages and are assisted by the community through mailing lists and the Fedora Bugzilla. 2. fedora-config will be a GUI and TUI tool to allow the user to easily manage their Fedora repository channels, mirrors and crytographic keys. Users will be shown geographic location and DNS addresses of mirrors so they can easily choose a nearby mirror. This tool will also address some of the robustness shortcomings of Synaptic. Please read the fedora-config section below for more information. 3. Fedora Channels Various types of software channels can be selected in fedora-config to be added to sources.list. Some of these channels would be rh-main, rh-updates, fedora-main, fedora-freeworld (non-US), fedora-commercial, fedora-k12ltsp, or fedora-education along with stable, testing and unstable levels. Channels aid in software selection by offering only the type of software you want, along with legality by making certain repository download sites separated. For example, non-US packages of DVD players can be hosted outside of the USA while Macromedia Flash plugin can be hosted on Macromedia's official server. Please read the Fedora Channels section below for a more detailed explanation. 4. fedora-catalog will be a friendly GUI software catalog that is an alternate method of installating software. Within this catalog will be pictures and descriptions of various available software titles within the subscribed channels so users can learn about software that they have not yet tried. After checking a few titles that they wish to install, they click Install and Synaptic takes over installation. Please read the fedora-catalog section below. 5. apt-get improvements We will need to add the ability of apt-get to detect and reject non-signed or invalid signatures on packages. The current apt method of relying entirely on signed package lists is flawed and unsafe. Once apt-get has this enhancement, we will be able to better ensure the integrity of Fedora as a whole from both the Open Source packages and the commercially signed packages (described below.) 6. Synaptic improvements As a long term goal, I believe that Synaptic itself should be improved. Synaptic is currently too non-intuitive and poorly organized, rather confusing for non-experienced Linux users. I believe that we should eventually work on a usability improvements. Research will be needed to figure out what these improvements should be. Phases of the Fedora Project The goals of this project are very ambitious and will take a considerable amount of work, so I have broken this up into a series of phases. 1. Phase One 1. Initial repositories and mirrors. 2. Mailing lists. 3. [1]Keyring like Debian for the maintainers. 4. Temporary distributed sources.list. Phase Two 1. fedora-config 2. Fedora Bugzilla 3. Enforce key checking in apt-get. 4. fedora-stats 5. Slashdot announcement Phase Three 1. fedora-catalog 2. ??? Phase Four 1. Synaptic improvements 2. ??? 3. Profit! Fedora Channels Fedora has three types of software channels. * main Open Source Software packages. This includes MP3 players/decoders since distribution of free decoders seems to be legal. * main repositories can be mirrored all throughout the world with few restrictions. freeworld (non-US) Open Source Software but cannot be hosted in America due to various legal restrictions. Some examples within this category would be DVD players. * freeworld repositories can be mirrored anywhere in the free world. ([2]Map of the free world.) * I highly recommend freeworld's master mirror to be hosted at a high capacity non-US location like freshrpms.net. commercial Certain proprietary companies will provide Fedora specific RPM packages only from their websites and their own apt repositories. This restriction is only so that they can collect accurate download statistics in order to guage marketshare and the amount of resources they should put into future Linux software development. Some Fedora maintainers will maintain these packages while keeping contact with the company. Bugs against these packages will also be tracked in Fedora Bugzilla just like the other categories. One example of a proprietary package would be Macromedia Flash plugin. * commercial repositories will be controlled by the respective companies. It may be possible for the companies to allow official mirrors only through their explicit permission. * commercial repository packages will be signed by their own GPG key. Companies affiliated with Fedora will have their public GPG key in the Fedora keyring. In addition to the basic channels, there will be other channels containing certain other types of software. * k12ltsp - This channel will contain packages needed to make a K12LTSP Terminal Server, generally used by educational institutions. * education - General educational desktop software. In addition to these channels, we will have some mechanism to have various levels of stability in stable, testing, and unstable similar to the Debian distribution. Fedora Config and fedora-init The initial apt-get packages for end-users will encourage users to select from a list of official mirrors. It does so because its sources.list contains only the fedora-init repository. This repository contains only the following packages (and perhaps others like rpm-4.1-9 since the RH80 rpm is rather broken): 1. apt-get 2. synaptic 3. fedora-lists This package contains a complete list of all Fedora mirrors and channels, including geographical location and which channels they contain. This is separate from sources.list. The lists are located in this separate package in order to make it easy to update it through normal package updating methods. 4. fedora-config 1. Reads fedora-lists and gives the user the following options: 1. Choose nearby mirrors for main and freeworld. They will primarily see geographical location rather than domain name, as this is generally a better way to choose nearby mirrors. Domain name will be shown in a smaller font meaning it is less important in their decision. Perhaps a later version of fedora-config may try to "detect" their location and guess the optimal default choice. 2. Checkboxes to enable/disable various commercial repositories. 3. Options to to manually add non-Fedora repositories. After configuration, fedora-config goes through the following startup process: 1. Generate /etc/apt/sources.list from chosen mirrors. 2. Attempt apt-get update on to check if main, freeworld, and commercial are accessible. 3. If they are not, change to fallback mirrors and try again. 4. Run Synaptic. When the user runs "Synaptic" from this point on, it first runs the startup process of fedora-config in order to be sure that their sources.list always has working mirrors. Synaptic itself lacks the ability to handle errors and will sometimes refuse to run completely if the repositories settings are incorrect or down. As mentioned earlier, fedora-config will not be ready until Phase 2, so before that point we will distribute fedora-lists and people will need to edit their sources.list manually. Fedora Catalog Description under construction. fedora-stats This will be a set of standardized tools to parse download logs (HTTP or FTP) and send Fedora download statistics to a central server. These statistics will eventually be used in various ways to analyze patterns of package popularity and improve the distribution as a whole. If we can't figure out useful uses for these statistics, at least we would have an automatic system that gives us interesting numbers and graphs to be proud about. Further description under construction. Volunteer Positions within the Fedora Community There are several volunteer positions necessary in order for this project to work. 1. Package Maintainers (many) Any developer can volunteer to maintain packages for Fedora. Maintainers may assume maintainership or co-maintainership over certain packages. GPG keys of maintainers and the packages they maintain are kept in a database. Packages ready for publication are signed by maintainers and given to Release Managers. 2. Release Managers (few) Release managers are a small core of trusted developers who hold the Fedora private key. Packages ready for publication are received from maintainers, checked for validity against the maintainer keyring, then re-signed with the official Fedora GPG key and put on the master mirrors. For security purposes, everything in this process except for the actual signing may be automated with scripts. 3. Server Maintainers (few) A few administrators will be needed in order to maintain the Fedora Bugzilla, Fedora mailing lists, Fedora keyring, and maintainer databases. References 1. http://keyring.debian.org/ 2. http://thefreeworld.net/