The SafeRepo Initiative

Many third party repositories exist for Enterprise Linux distributions. These repositories provide several different types of packages. Not all repositories clearly describe the types of packages that are provided, which may lead to unexpected results. The SafeRepo Initiative is a set of guidelines for third party repositories to follow in order to help users avoid these unexpected results.


Current Problem With Third Party Repositories

When you subscribe to third party repositories, you often don't know what will happen. Different third party repositories behave differently. Some repositories only provide additional packages that are not in the stock distribution. Other repositories contain newer versions of stock packages with the same name. Many do not fully describe the types of packages they provide, which can lead to unexpected results for end users.

When a repository doesn't clearly describe the types of packages they provide, users of the repositories are put at risk.

Here is a common example. A user subscribes to a third party repository for a newer major version of MySQL. Later, they discover that their application is broken because PHP was also updated to a new major version during updates.

Examples of Safe Repositories

Examples of Unsafe Repositories

We are not going to explicitly call out specific projects, but there are ways to recognize unsafe repositories.

Safe Package Types

Add-on Package

Parallel Installable Package

Safe Replacement Package

Unsafe Package Types

Direct Replacement Package