When the Fedora gitlab instance was created, after some discussion, it was decided that permissions be handled by FAS Groups which then assign permissions to certain roles in gitlab. This was chosen as the best way forward, for one main reason: everyone contributing to a group or repo in gitlab/Fedora would have to log in using a Fedora Account, and signed the FPCA.
Currently, it is possible for a group to add people not associated with a FAS account, (primarily if the SAML group linking is not set up or removed by the group owner). And we have one sig expliciity asking to just manage permissions with gitlab -- which opens that sig up to adding users without FAS accounts or signed the FPCA: https://pagure.io/fedora-infrastructure/issue/11326
The question here is, should we enforce groups to use the SAML/FAS group links to ensure users have a FAS account / have signed the FPCA?
I've created a topic on Fedora Discussion for this ticket.
Please keep this ticket focused. Discuss there, and record votes and decisions here. Thanks!
Metadata Update from @jflory7: - Issue tagged with: policies
Discussed in 2023-06-07 Council meeting.
The Council approves (+3/0/-0) the continued use of the GitLab SAML link for membership to the Fedora GitLab.com organization (and thus, the FPCA requirement), but participation in the Fedora namespace repositories and issue trackers should not require a FAS-linked GitLab account to participate.
There was a short conversation that long-term, we aren't really happy with this integration as-is but this is because we have been talking about better options for git forges in general for a while. There were rumblings about a dedicated GitLab platform just for Fedora (e.g. git.fedoraproject.org et al) but right now, this is a capacity-related planning question and should not block this ticket.
git.fedoraproject.org
Closing as resolved.
resolved
Metadata Update from @jflory7: - Issue close_status updated to: resolved - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.