Home Home > 2008 > 12 > 17 > Get Going. openSUSE:Contrib ready!
Sign up | Login

Get Going. openSUSE:Contrib ready!

December 17th, 2008 by

It’s alive! In an effort to bring another joy of contributing to the openSUSE distribution a new team, process and package repository just recently saw the light of day: openSUSE:Contrib

Contrib logo

The openSUSE:Contrib repository is an extension of the openSUSE distribution. The goal is simple: making maintainership of packages in the openSUSE distribution possible for everyone. Currently with openSUSE Factory it is “only” possible to do code-contribution in the form of patches sent through the collaboration features of the openSUSE Build Service. While that is fine it is missing an important motivation bit: responsibility. Having responsibility for a piece of software inside a Linux distribution is a demanding but rewarding task and it is also the one task that is essential to the whole distribution business because that’s what a distribution is, a collection of packages. No matter if you create a nice desktop wallpaper or hack on a system service, if you want it to end up on the distribution you have to squeeze it into a package and use the whole process around that. With openSUSE:Contrib it is now possible for everyone to do that for the openSUSE distributions. So if you have experience in RPM packaging and you miss a piece of software in the openSUSE distribution join the openSUSE:Contrib team to scratch that itch. For starters you should read the openSUSE:Contrib wiki page and subscribe yourself to the openSUSE:Contrib mailing list. See you around!

Both comments and pings are currently closed.

9 Responses to “Get Going. openSUSE:Contrib ready!”

  1. Contrib has small disadvantages, but it’s still a good initiative. And with nice logo ;) .

  2. Can you elaborate on the “small disadvantages”? :-)

  3. Anonymous

    This is like Ubuntu universe, we just get more packages.

  4. Phill Upson

    Sounds good from the point of view we’ll have more packages, but security always concerns me. I can see we have an approval process to ensure nothing in contrib breaks the system, can we be sure that the original source wasn’t modified with malicious intent? Obviously its a binary package so we can’t md5 it against an authors original sources. Would it not be better to seek approval before a package is created, then the repo owner could lock the source package download url. Then have the package maintainer upload their build instructions and then have the work done on secure in house suse boxes? You could even break the download url into parts so the maintainer could even supply a new version, as long as it comes from the right url at sourceforge/project homepage. This way getting malicious code into the repo would require getting it into the source package and past the core development teams eyes.

    Like i say, I think this sounds great, but it does worry me having a binary package install system where I can’t verify the package as good and it’d be a real shame to let a project as exciting as this pass me by. Obviously doing the building on suse’s own hardware would put the costs up, but you could ask for donations, I’m not rich, but i’d donate £5 a month happily, wouldn’t take a high percentage of the opensuse community to match that and improve their infrastructure budget surely?

    Regards

    Phill

    • Chris

      You probably might want to read about the Build Service which is used to build the packages in contrib: http://en.opensuse.org/Build_Service ;)

      Regarding exchanging the source: Sure, theoretically it can always happen with binary distributions but you can get the source that is used to build the packages (including .spec file & patches) and can view the build logs. If that isn’t enough for you, you probably have to stick with some “compile it yourself from source” distro like Gentoo or LFS. – and even then you can’t be sure that the source wasn’t modified as long as you don’t get it from the projects homepage & review it yourself.

    • > Sounds good from the point of view we’ll have more packages, but security always concerns me.

      It concerns all of us…

      > I can see we have an approval process to ensure nothing in contrib breaks the system, can we be sure that the original source wasn’t modified with malicious intent?

      You can always assure that to the extent you trust the last person who touched it. So for a binary package from the repository you can trust it as much as you trust the packager. For a source tarball you can trust it as much as you trust the person who rolled it. For the individual source files you can trust is as much as you trust the developer who wrote it.

      Or to put it clearly: If you do not trust the openSUSE:Contrib packagers you can not use the openSUSE:Contrib repo. Same holds true for any other step in the chain.

      > Obviously doing the building on suse’s own hardware would put the costs up

      Where do you think the openSUSE Build Service is located? Its in the SUSE location in Nuremberg.

  5. Giovanni Masucci

    It would really be nice to have a section of contrib with codecs not in factory…right now we have to use packman wich has a lot of duplicates with factory…

    • Beineri

      Codecs which are for legal/whatever reasons not part of the distribution are also not allowed to be in the build service.