Third Party Repository Policy

From FedoraProject

Jump to: navigation, search

End users sometimes want to install software that is not provided by Fedora. This policy lays out the extent to which Fedora Products can make it easier for end users to do that.

At the moment, FESCo policy is that no third party repositories can be configured in package managers in Fedora. However, Fedora may ship application search software that searches for applications in some specific third party repositories in addition to the Fedora Main Repository and install packages from them. This application search software can search for applications in these specific third party repositories as long as the user is explicitly asked to enable the repository before installing packages from them.

Copr Repositories

Fedora allows contributors to build rpms and host the output in some repositories on our servers. These are known as Copr repositories. Packages in these repositories are not held to the same packaging standards as packages in the Main Fedora Repositories but they are all held to the same Licensing and Legal requirements. Fedora Legal has the authority to remove packages from the Copr repositories or have problematic Copr repositories removed as Red Hat is liable for any legal issues that may arise here. Due to this relationship, we are a little more flexible in our policy for Copr repositories than other third party repositories.

  • The COPR Repositories can provide RPMS with .repo files pointing to themselves because Red Hat is the provider and assumes liability
  • It is permissible to ship RPM packages containing .repo files that point to COPR repositories in the Fedora package collection under the following conditions per ​FESCo decree:
    • The repo file has the setting enabled=0. This means that yum, dnf and other tools cannot install software from this repository without a manual step (such as --enablerepo=<repo>)
    • The repo file has the setting enabled_metadata=1. This means that some tools can optionally retrieve the metadata from this repository to provide a list of its contents to the user. The option is not used by yum or dnf.

Application installers in the main Fedora repositories may search COPR repos for applications to install as long as they explicitly ask the user to enable the copr repository as noted in the introductory section.

Other Repositories with only free (libre) software

Of course, Fedora doesn't have the only software repositories that contain free (libre) software. There are other third party repositories that Fedora users want to use. Since Red Hat has no relationship with these repositories as it does with Copr repositories, allowing things in Fedora to point users to these repositories would represent a new legal liability. Fedora Legal would need to audit the packages in these repositories for legal problems both when the repositories are initially approved and on an ongoing basis (as the software in the repositories is updated, Fedora Legal would need to check that the new versions of packages in the repository remained legally okay for us to point people at.) For this reason, the rules for including a non-Copr third party repository are more strict than for Copr repos.

  • Third party repositories that host diverse pieces of software (a repository like Fedora before it became a Red Hat community project, for instance) cannot be searched or enabled. This is because it would simply be too much work for Fedora Legal to audit such a repository.
  • Repositories that enable a specific piece of free software may be pointed at in the same way as COPRs. However, they must be approved by both FESCo and Fedora Legal first.
  • Fedora Legal is not limited to simply evaluating the repositories on Legal criteria. Because they are responsible for auditing the third party repositories on an ongoing basis, they have discretion to say no for other reasons including (but not limited to) simply not having time to take on the auditing of more repositories.
  • FESCo and Fedora Legal can remove approval as well as grant it. This is due in part to the work that ongoing maintenance represents to Fedora Legal and also to the fact that package updates in the repositories could mean we no longer want to point to them.

Application installers in the main Fedora repositories may search repositories that are currently approved under the above list as long as they explicitly ask the user to enable the third party repository as noted in the introductory section.

Repositories with non-free (libre) software

Repositories that contain non-free software may be offered to users under the following conditions:

  • Users must be presented with clear information about Fedora provided/Libre software vs Non-free/3rd party software.
  • Users must explicitly opt in to such repositories after the information is presented to them.
  • Non free software repositories must be approved by a active Fedora Working Group (for an edition), or FESCO (for all other deliverables) and are subject to the same critera as the section above on other free software repositories (ie, permission may be revoked, repositories with many different applications will be rejected as too difficult to police, etc)

Non-free software may not be presented to the user without explicit user enablement in any Fedora Edition or Spin