Rahul and Jef Spaleta asked me about this recently so I decided to throw
this out as a conversation starter. Please comment on this as Luke and
I need some input from releng or FESCo about whether this is a goal we
should be aiming for before we can implement it.
= Unsponsored Comaintainers =
Sometimes a contributor wants to get involved with a single Fedora
package. This is often the case with upstream maintainers who are
interested in seeing their software run well on Fedora but either lack
the time to participate in or are disinterested in Fedora as a whole.
One way to enable this is to have current Fedora Packagers "mentor" the
upstream maintainers. The Fedora Packager can be the owner of record
for the package and make sure that it integrates with the rest of
Fedora. The upstream maintainer would take the role of comaintainer for
the package and help mainly with code-related bugs.
For this sort of work, it would be ideal if the comaintainer could
commit to the package but not build or push. The package owner would
then have the ability to check the changes that the upstream maintainer
made to verify they followed the Fedora Packaging Guidelines and
integrated with things going on in the rest of the distro.
At the moment we are constrained by the limitations of the tools we're
working with (koji, packagedb, cvs repository, and bodhi). So here's a
three phase approach to getting to the ideal:
== Phase 1 ==
Upstream maintainer and Fedora Package owner decide to collaborate. The
Upstream maintainer signs the CLA. Someone from a group of sponsors
willing to work on this as a pilot program sponsors them into cvsextras.
The comaintainer can now request commit acls on the package. This gives
them access to commit to cvs, build in koji, and push via bodhi for this
package. There is an understanding among the participants that the
upstream maintainer should not work on packages for which they have not
been granted commit access. The sponsor has to watch the commits list
for changes made by the upstream maintainer that violate this policy.
This requires no changes to our tools but requires:
1) a pool of sponsors willing to work on this
2) commitment from unsponsored comaintainers to follow the rules and
sponsors who are willing to police those comaintainers to make sure
they're abiding by them.
== Phase 2 ==
In phase 2, we can remove the pool of sponsors. Instead we allow people
without cvsextras to sign up to comaintain a package. If the primary
package maintainer approves, the comaintainer is allowed to use any of
the acls they are approved for. The package owner would still have to
watch to make sure the comaintainer is not doing more than they are
supposed to on that particular package.
This requires changes to the cvs repository so people not in cvsextras
but explicitly in the acl are allowed to commit. This could be a bit
tricky as we currently have two levels of security in the repository: 1)
People must be in the acl to access resources of the repository, 2) they
must be in cvsextras. We'll want something equivalent in the new setup.
== Phase 3 ==
In this stage, we make sure that acls prevent people from doing things
they are not supposed to, freeing the package owner from some of the
manual policing they had to do before. The PackageDB will have acls for
pushing and building as well as committing. This will allow package
owners to specify that a maintainer should only be allowed to commit or
only allowed to commit and build.
The packagedb will need to allow changing of build and push acls. [easy]
Bodhi will need to operate on the push acls instead of the commit acls.
[easy]
koji will need to support restricting builds.
-Toshio
--
fedora-devel-list mailing list
fedora-devel-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-devel-list
