The SafeRepo Initiative is a ‘proposal’ [if you will] for a standard in 3rd party Yum repositories. Currently there is none. It is more of an idea, rather than an official specification. The idea of safe repositories came about while building out the IUS Community Project, and as such this proposal is lead by the IUS Core Development Team.
3rd party yum repositories introduce a level of unknown compatibility, as well as unknown usage. One repo might offer 3rd Party Packages that are meant to replace existing Stock Packages within a Stock Distro, and others might explicitly only add packages to a distribution. However there are many that you just don’t know what they will do when you subscribe, and often they simply override Stock Packages from the Distro which is unsafe in a production environment.
System administrators and end users need to know if a 3rd Party Repo they are subscribing a server to is safe. By choosing to follow the development practices of the SafeRepo Initiative tells your users that you value standardization and the assurance that using your custom package repository isn’t going to bork their otherwise clean/stock Linux distribution.
SafeRepo is not a certification, rather a push for awareness. If you are interested in making your repositories safer, see the specification below. Once you feel your repo meets the requirements, add a notice to your site that says something to the affect of “This site is SafeRepo Aware!”. Be sure to link it back to us so they know what it means. Additionally, If you’d like to be added to our list of known safe repositories just send us an email to firstname.lastname@example.org.
The following outlines the basic steps and requirements necessary to make your 3rd party yum repo SafeRepo Aware. Package requirements to provide a SafeRepo are simple, though differ based on the type of package they are. The following are general package types as they relate to creating a safe repository of 3rd party packages:
This type of package provides software that does not currently exist in the Stock Distro. The Fedora EPEL repositories are perfect examples of strictly addon packages. The following rules apply:
This type of package Provides the same software that another Stock Package (i.e. php53 provides php). The IUS Community Project is an example of a 3rd Party Repo that only provides Replacement Packages. The following rules apply:
Must not automatically install, upgrade, or replace Stock Distro Packages when subscribing to the repo.
This type of package is very much like a Replacement Package, however it is meant to be installed side-by-side with the Stock Distro Package that it would otherwise replace. Some distros sometimes use this technique to introduce newer software while not interrupting the system and software that require the older version of it. Python for example is a system critical piece of software. Upgrading it will always cause issues, however by parallel installing a newer version of python you have the best of both words. Users/Applications that require a newer version of that software can explicitly call the alternate location while other software continues to work fine. The following rules apply: