Hi everybody,
I've realized that there's a big mismatch between the permissions that
are necessary and the immediate impact for orphaning and retiring a
package:
orphan:
- is reversible by single button press by anybody in "packager" group
- has no immediate effect / effect only after 6 weeks of inaction
- but: can only be done only by "main admin" / "owner" of package
retire:
- is irreversible without filing a releng ticket and manual human intervention
- has "immediate" effect (seconds to minutes for koji, < 1 day for
repos) for the package and all its dependencies
- but: can be done by all packagers with package access ("commit",
"admin", "main admin" access levels) and all provenpackagers
Shouldn't the action with *more severe and immediate impact* be the
one which requires a higher level of permissions on a package?
For example, I was thinking about dropping some Rust SIG packages that
are no longer needed by the SIG (or in Fedora). Maybe I would rather
like to orphan them so any packager who is interested in them can pick
them up within 6 weeks without any bureaucratic hoops to jump through.
But since I am not "main admin" of those packages, I can only retire
them *immediately*, which seems backwards to me.
So ... should we make retirement of packages harder, or should we make
it easier to orphan a package (e.g. by making it possible for
co-maintainers to orphan a package)? Right now, there's a big mismatch
between permission level and impact of possible actions.
Fabio