#2248 psabata and ppisar should not have ACLs on packages without the permission of the maintainer
Closed: Fixed None Opened 11 years ago by spot.

Recently, psabata and ppisar were given ACLs on perl-*, without the knowledge or consent of the maintainers. In fact, only one maintainer was aware of this, mmaslano.

Accordingly, all ACLs for the psabata and ppisar accounts should be taken away, with the exception of those packages that mmaslano maintains (which is not an insignificant number of perl- packages). If they would like ACLs on other perl- packages, they can request it from the maintainer.


I agree. Lets do this and make sure we use whatever policy fesco decides moving forward.

On second thought, lets let fesco decide a policy, and also decide if we revert this, make it match the new policy or whatever.

Added this as a specific question for fesco to decide what to do:

https://fedorahosted.org/fesco/ticket/403#comment:18

Couple notes for those following at home: at least one other perl-* maintainer was aware since they replied to the ticket after it was CC'd to the perl mailing list. There are some other maintainers that were unaware of the change but okayed it after the fact. We don't have records of all of these.

I'd already said no to the request to change back here: https://fedorahosted.org/rel-eng/ticket/3780 since it is repeating the same mistake but with the purpose of undoing the original request. Fesco can definitely ask that the change be reversed and I'll be happy to do that once they approve it.

The method to undo is for someone with sysadmin-db to remove their acls '''from every package in the db''', similar to how their acls were removed for approveacls:

{{{
update personpackagelistingacl set statuscode = 13 where personpackagelistingid in (select id from personpackagelisting where username in ('ppisar', 'psabata'));
}}}

Then do a normal request process using this script '''and the instructions in the script for disabling email sending'''

http://git.fedorahosted.org/git/?p=fedora-infrastructure.git;a=blob;f=scripts/pkgdb_bulk_comaint/comaint.py;hb=HEAD

Note that I asked if it was okay to remove their approveacls rights for every package in the rel-eng ticket and took silence as consent. I don't know if we need more of a reply since we're removing commit and watch* acls this time.

Would it be possible return them commits and acls to all my perl-* modules and perl package?

Yes, it's possible. I'm having a little problem finding time to write a script to comply with the second point of the fesco requirement::
Mail maintainers/co-maintainers affected by the change to inform them of who requested the change and why.

-  http://fedoraproject.org/wiki/CVS_Admin_SOP#Performing_mass_comaintainer_requests

I'll try to work on this in the next two weeks while I'm at a conference. Being able to perform the change requires me to have a stable internet connection long enough to let the scripts run, though. So I may need to upload the script here and see if someone else can do the work.

I finally had time to stare at the problem all day. For notiufication of comaintainers I opted for a quick and dirty hack -- notify comaintainers of any package that fit the criteria rather than only the comaintainers of packages where the new comaintainers weren't already approved.

Login to comment on this ticket.

Metadata