On Sun, Jun 20, 2021 at 7:19 PM Zbigniew Jędrzejewski-Szmek <zbyszek@xxxxxxxxx> wrote: > > On Sun, Jun 20, 2021 at 08:37:03AM -0500, Michael Catanzaro wrote: > > On Sun, Jun 20 2021 at 07:29:16 AM -0400, Neal Gompa > > <ngompa13@xxxxxxxxx> wrote: > > >Most of our rules are designed to make sure there's someone ultimately > > >responsible for everything going into Fedora. Unfortunately, bots are > > >the opposite of that, because there's no one to reach to stop bad > > >behavior when it happens. > > > Hm, this seems pretty simple to solve though, right? Allow bots to > > submit updates on behalf of packagers, but not with their own bot > > FAS accounts. > > Let's not throw out the baby with the bath water. > > A human *is* responsible and known. When a bot account is given > permission, we make sure that there's a known human behind the account. > Things are no other in this particular case, see the original ticket [1]. > > Actually, if the bot were using their human's account, things would be *less* > transparent. By using a separate account, we are making it clear that > this update stream is made by this particular bot (as opposed to e.g. > some human occasionally using a script to release some updates). > > [1] https://pagure.io/fesco/issue/2228 > I wish our new FAS implementation gave us the ability to generate delegate/service accounts associated with a primary account. That way, we have a clear record of a human owning it, and when that human's account is known to no longer be active, the bot breaks with it. > > This would be like how GNOME package updates currently > > work, where a bot does the hard work but a human is ultimately > > responsible (and subscribed to each bodhi update, so feedback will > > at least not be completely missed). > > The line can be a big hazy, but I'd say that if: > - a human is just using a script or even a some program to fire off > the update — this particular person's account must be used. > - some bot prepares the update, but a human still need to make the final > step and may or may not publish the update: probably better to do it > using this person's account. > - the bot is set up once and then keeps releasing updating until stopped, > and may be managed by multiple people — a separate bot account is preferable. > The problem is that this whole thing works off the premise that Rawhide is a dumping ground. It is not. It also works off the premise that nobody cares about the stuff being pushed into Dist-Git, Koji, and to users. And frankly, that has not been true for a *very* long time, if it ever was. -- 真実はいつも一つ!/ Always, there's only one truth! _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
