On Sun, Nov 14, 2021 at 9:42 AM Marc Deop i Argemí < marcd...@fedoraproject.org> wrote:
> On Saturday, 13 November 2021 03:49:32 CET Ben Cooksley wrote: > > Hi all, > Hi Marc, > > > It has recently been brought to my attention that packages of KDE > > Frameworks 5.88.0 have been prematurely released by the distribution > > PCLinuxOS, as visible at https://repology.org/project/krunner/versions > > > > Maybe (hopefully) it was just a mistake? We should contact them and ask. > ( I > acknowledge this seems like wishful thinking though). > > > they obtained the packages from someone else (either because they > directly > > shared their access, because they shared the packages with PCLinuxOS or > > because PCLinuxOS has discovered the location of source packages for one > or > > more distributions). > > As Neal mentioned in another email, some distros already have the packages > prepared and they are publicly available (Fedora, Maegia and possibly > others) > although not in their stable releases. > > In particular, we (Fedora KDE-SIG) build the packages in Rawhide (the > development version of Fedora) and we use a COPR( like an Ubuntu PPA) > under my > namespace to build packages for early adopters who help us find issues. > > Unfortunately, if somebody wants to gather the sources from those places > they > certainly can do so without real blockers. > > If it's a problem, we can stop building in COPR until the release is > official. I > asked a few months ago and I was told it was ok to have it as long as it > was > not publicly announced ( I don't remember who told me though, apologies). > That may have been me :) > The big problem here is: not building in Rawhide would complicate > preparing > packages quite a bit for us. We could probably find a solution, of course, > but > I rather not change the existing mechanism for practical reasons. > As long as the COPR repository in question is not widely advertised I think what you're doing is perfectly fine. >From my understanding your repository is only shared among members of your team and it isn't marked as official so nobody else should be aware of it. > > > It would be appreciated if distributions could please review whether it > is > > possible that PCLinuxOS obtained the packages via them and ask the > > PCLinuxOS team to please contact us as it would be preferrable that such > > premature leaks/releases did not take place. > > > > I will make sure to bring this up on our (Fedora KDE-SIG) next meeting on > Monday to talk about it. Any KDE person is more than welcome to join > (Nate, > Carl, Aleix join us somehow often :-) ) > Thanks. One possibility is that distributions could periodically change the location where they "stage" the packages before release (by renaming the repository, creating a new one, etc) to ensure that only those who should be aware of the correct URL to the repository have it to hand. Cheers, Ben