#6424 pagure-dist-git doesn't enforce groups to have "packager" prerequisite
Closed: Fixed 5 years ago Opened 6 years ago by ignatenkobrain.

@karsten added modularity-wg group to have commit access in cloud-init module and apparently it worked. However, what I see in FAS (https://admin.fedoraproject.org/accounts/group/view/modularity-wg), Prerequisite: cla_done...

Does that mean that non-packagers can push code to that repository?

In PkgDB era I remember having restriction on groups which end with -sig..


Groups shouldn't be created in pagure, they are synced from FAS

Looking into this

Ok so I read this too quickly, the group is coming from FAS but the group in FAS doesn't enforce the packager membership which does raise questions.

However, currently only packagers can push via ssh (cf #6361) so it's not an issue atm but will become one.

Metadata Update from @pingou:
- Issue tagged with: src.fp.o

6 years ago

Hmm. Wouldn't we want packager to be an implicit prerequisite for pushing to dist-git instead? Or have a way to specify "member of packager AND modularity_wg"? I don't know that we want to restrict modularity_wg membership to packagers.

The issue is more that this group shouldn't have been used in pagure over dist-git :)

Heh, not sure I agree. I can think of valid use cases for opening a component to arbitrary FAS group members (as long as the restriction on packager can somehow be made).

Metadata Update from @kevin:
- Issue priority set to: Next Meeting

5 years ago

Heh, not sure I agree. I can think of valid use cases for opening a component to arbitrary FAS group members (as long as the restriction on packager can somehow be made).

Restriction (at the group) only doable in FAS, so we should only give commit access in pagure to FAS groups that have that requirement (in FAS).

So, since we are the ones adding new groups here and can disallow any that don't require packager, we can just close this for now?

Metadata Update from @kevin:
- Issue priority set to: Waiting on Assignee (was: Next Meeting)

5 years ago

So, since we are the ones adding new groups here and can disallow any that don't require packager, we can just close this for now?

I'd want to make sure of the first part, once we are, I think we can close this
indeed :)

Any news here? As far as I can tell non admins cannot add groups... so I think we can just close this.

I am pretty sure this is fixed since we had to add the orphan user to packager to allow people to give it packages. Closing now... re-open if there's anything further to do here.

Metadata Update from @kevin:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)

5 years ago

Login to comment on this ticket.

Metadata