#4166 Adopt policy that SCM request should be accepted from authorized users only
Closed: Fixed None Opened 10 years ago by ppisar.

FESCo ticket ​https://fedorahosted.org/fesco/ticket/981 moved to rel-eng queue.
Rel-eng ticket https://fedorahosted.org/rel-eng/ticket/5418 moved to Infrastructure queue.

= Phenomenon =

SCM adminstrators proceed SCM request from non-authorized applicants.

= Background Analysis =

spot added SCM change request for 4 packages he does not own nor co-maintain and SCM administrator has processed the requests. The requests were to create new branches owned by master owners.

Example [​​https://bugzilla.redhat.com/show_bug.cgi?id=835544#c7]:

{{{
From: Tom "spot" Callaway 2012-12-11 21:50:00 GMT

Package Change Request

Package Name: perl-Pod-Markdown
New Branches: f16 f17
Owners: jplesnik mmaslano ppisar psabata
InitialCC: perl-sig

From: Jon Ciesla 2012-12-12 13:14:20 GMT

Git done (by process-git-requests).
}}}

This undermines regular maintainers' rights and obligations because they cannot even be sure which branches their packages exist and which they are responsible for. This conflicts with current policy for creating additional branches on behalf third persons (the third person, owner of new branch, asks current owner and current owner submits SCM request.)

= Implementation recommendation =

Fedora Infrastructure will accept SCM changes only from requesters who own or co-maintaint the package. This requires mapping between Bugzilla and FAS accounts. E-mail address can be used as the binding attribute.


I already expressed a negative opinion of this change here https://fedorahosted.org/rel-eng/ticket/5418#comment:5

I think that the releng ticket was seen by most of the relevant people already:

Members of cvsadmin: ausil huzaifas jwboyer @kevin limb lmacken mikeb @mmcgrath @notting pbabinca petersen spot @tibbs till toshio

limb and spot were explicitly CC'd. ausil, jwboyer, kevin, till, and toshio were aware of it since they replied to the tickets. lmacken and notting are on the rel-eng list.

As for where this ticket should belong, there's considerable overlap between cvsadmin and both infrastructure and rel-eng. So it's probably okay for either one or the other trac instances to be used. To make sure it is seen by all the cvsadmins, add cvsadmin-members to the CC list.

Have you seen the proposed new process?
http://blog.pingoured.fr/index.php?post/2015/01/22/New-branch-request-process

Do you think this would work for you?

Note: you can only request a branch for yourself, not for someone else.

The new process is entirely in pkgdb and thus only allows authorized users.

Log in to comment on this ticket.

Metadata