#9490 Creating a new group in Fedroa dist-git
Opened 2 months ago by mruprich. Modified 2 months ago

Describe what you would like us to do:


Create a new group at https://src.fedoraproject.org/groups for accessing tests at https://src.fedoraproject.org/projects/tests/* . This group would be for package maintainers in Infrastructure-Services team in Red Hat and for our colleagues from QE. We are slowly moving some of our tests to the tests/* namespace and it would help with maintaining access rights to our test repositories.

You can name the group InfraServ-team.

When do you need this to be done by? (YYYY/MM/DD)


No specific date, as soon as you can take a look at this. Thanks


Unfortunatly we are not able to create groups that can be used only in the tests namespace, so you will have to get a regular dist-git group, which comes with some requirements.

We've documented the different groups available in Fedora at: https://pagure.io/fedora-infra/howtos/blob/master/f/groups_in_fedora.md
Please have a look at it, as we will need some more information from you to process this request.

Metadata Update from @mohanboddu:
- Issue priority set to: Waiting on Assignee (was: Needs Review)
- Issue tagged with: medium-gain, medium-trouble, ops

2 months ago

Thanks @pingou,
I think that the description best fits the pkgdb group. The only problem I see is that some of the people in the group are not in the packager group. The group would consist of package maintainers and a couple of QE, but QE usually don't have a sponsorship because they don't maintain any packages so they are not part of packager group.

On the other hand, I only need this to manage access to the tests/* namespace, I don't want to extend this to any package, just the tests.

Not sure about the mailing list though, I understand that it is mandatory to create one together with the group?

Thanks,
Michal

So the issue is that there are no distinctions between groups. Once a group is created, it can be given commit access to all projects in the tests/ namespace, but also to any project in the rpms/ namespace or the modules/ namespace and everyone who is committing to these namespaces must be in the packager groups. Thus the requirement for pkgdb group to require the packager membership.

(A side note: only packagers have ssh access to dist-git, so the non-packager members of the group will have to push via https - just something to keep in mind :))

Not sure about the mailing list though, I understand that it is mandatory to create one together with the group?

Technically it is, although in this case, since the projects in the tests/ namespace are not synced to bugzilla, we can likely make an exception. It will break things if the group is ever added to a non-tests project but we (infra) will be warned about it.

(A side note: only packagers have ssh access to dist-git, so the non-packager members of the group will have to push via https - just something to keep in mind :))

So this means that even a non-packager can be part of the group? If they are ok with pushing stuff via https?

(A side note: only packagers have ssh access to dist-git, so the non-packager members of the group will have to push via https - just something to keep in mind :))

So this means that even a non-packager can be part of the group? If they are ok with pushing stuff via https?

Yes and this is the core of the issue since if the group was added as a maintainer of a package in the rpms or modules namespace, all of its members would have access to the package without being packager.

I see, well there are those who said that they will give our QE sponsorship for this purpose if needed but I am not sure if that is the right way to do this. Do you mind if I raise this question on fedora-devel? It might actually spark an interesting discussion.

Do you mind if I raise this question on fedora-devel? It might actually spark an interesting discussion.

Not at all.

Login to comment on this ticket.

Metadata
Boards 1
ops Status: Backlog