On Thu, Feb 6, 2020, 21:14 Till Maas <opensource@till.name> wrote:
On Tue, Jan 21, 2020 at 04:34:37PM +0000, Leigh Griffin wrote:

> On behalf of the CPE team I want to draw the communities attention to a
> recent blog post which you may be impacted by:
https://communityblog.fedoraproject.org/git-forge-requirements/
>
> We will be seeking input and requirements in an open and transparent manner
> on the future of a git forge solution which will be run by the CPE team on

Aleksandra's comment made me aware that for dist-git, we do not really
need a git forge, it is just that the pagure git forge was used to
implement a lot of workflows that pkgdb provided in the past.

I tried to write the requirements as user stories to make them easier to
understand. What do you think?

This is a really welcome contribution thank you!

- As a package maintainer, I can only commit to a dist-git repo, if I am
  in the Fedora packager group.
- As a package maintainer, I can only commit to a dist-git repo, if I am
  a maintainer of the branch.
- As a proven packager, I can commit to all dist-git repos that do not
  have special restrictions set by FESCo or are retired.
- As a FESCO member, I can configure exceptions to disallow proven
  packager access to a dist-git repo.
- As dist-git repo admin, I can easily add other maintainers to allow
  commit or admin access for dist-git repo by using their FAS username
- As a dist-git repo admin, I cannot remove access to the repo from
  Fedora infra, Releng or proven packagers without FESCo approval.
- As a package maintainer, I can easily orphan a dist-git repo or branch
  to show that it is not maintained anymore.
- As a package maintainer, I can adopt any orphaned dist-git repo or
  branch.
- As a package maintainer, I can easily unretire a retired dist-git repo
  or branch.
- As a release engineer, I can easily approve unretire requests for a
  dist-git repo or branch.
- As anybody, I can easily see the FAS usernames of maintainers for all
  branches of a dist-git repo.
- As a non-releng member, I cannot remove any commits from any dist-git
  repo that were used to build a Fedora package.
- As an external user, I can easily get a list of all orphaned or
  retired dist-git repos and branches.
- As anybody, I can watch for issues (bugzillas) or PRs that are created
  for a dist-git repository.
- As anybody, I can easily get a list of all dist-git repos that I am
  watching.
- As anybody, I can easily get a list of all dist-git repos that a
  specific Fedora account has admin/commit access to.
- As anybody, when looking at the dist-git repo it is clearly visible
  which branches are still maintained.
- As anybody, when I look for a specific branch, EOL branches do not
  clutter my view.
- As a package maintainer, I can easily request commit/admin access for
  a specific branch or dist-git repo.

Also since dist-git is a critical part of our infrastructure, there
should probably also be some security-related requirements such as:

- As Fedora infra, I can easily audit that no git repo was accessed
  without authorization.
- As Fedora infra/security response team, I have access to secure logs
  to analyse the impact of unauthorized access to all dist-git repos.
- As anybody, the dist-git web page of a repo points me to Bugzilla to
  report issues for a repository.

I did not manage to read all other replies, so there might be some
duplicates but it also seems to me that many of these items were not
mentioned.

Kind regards
Till
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org