English Portuguese (Brazil)
Third-Party Repository Policy
A third-party repository is any software repository that the Fedora Project does not officially maintain, including link:https://copr.fedorainfracloud.org/[Copr repositories], as well as repositories that are hosted outside of the Fedora Project.
This policy sets out the conditions under which Fedora editions and spins can include repository definitions that make the contents from those third party repositories available to users. It applies to **repository definitions integrated with the usual package installation mechanisms** like `dnf` or GNOME Software. Unless such integration exists, this policy does **not** cover the packaging of:
Language-specific tools (`pip`, `maven`, `cargo`, `go`, …).
Tools that primarily exist to access external software packaging ecosystems (`snap`, `apt`, `pacman`, …).
Tools that provide images of other systems (`docker`, `podman`, `machinectl`, …).
These tools can use third-party repositories without the restrictions described below.
This policy is intended to ensure quality and legal protections for the most critical and visible software mechanisms used by Fedora, while allowing special-purpose software management tools to function as expected. The policy also aims to ensure that software provided under its terms is clearly labeled, so users are fully informed about the origin of the software they are installing.
Software from third-party repositories cannot be used when creating Fedora images.
Third-party repository distribution
Third-party repositories should be distributed in descriptively named rpm packages. Each third-party repository should be defined once through a separate (binary) package.
Traditionally, definitions for multiple repositories were combined into one package (for example, Fedora Workstation edition installs a package called `fedora-workstation-repositories`), but this is discouraged and should not be done in new cases.
Repositories can be configured with either `enabled_metadata=0` or `enabled_metadata=1` (or equivalent), at the discretion of the relevant working group or SIG.
If they fulfill the requirements set out in this policy, a Fedora edition or spin install media can include third party repository definitions.
The third-party nature of the repository must be apparent to the user when they enable it, as should the non-free status of its content, if such. To ensure this, repository files must initially include the `enabled=0` (or equivalent) setting, and the user must explicitly enable third-party repositories to install from them. FESCo may grant an exception to waive this requirement.
Reuse of repository definitions among editions or spins is encouraged.
Key requirements for third-party repositories
Third-party repositories must be approved by an active Fedora working group or SIG, or by FESCo. Groups who approve the inclusion of third party repositories must have a documented process which allows for community input, which produces a traceable history for each decision (for example, a ticket or other record).
Additionally, repositories included in an edition or spin's third-party repository list must conform to the following requirements:
Just as with any software hosted by Fedora, third party repositories must not contain material that poses an undue legal risk for the Fedora Project or its sponsors. This risk includes, but is not limited to, software with known patent issues, copyright issues, or software tailored for conducting illegal activities. Fedora working groups should evaluate if a proposed addition or provider poses a significant risk, and if in doubt, confer with Fedora Legal for advice.