Page MenuHomePhabricator

Define a process to import and create repositories
Closed, ResolvedPublic

Description

@Chad says on wikitech-l:

I agree, having to request is problematic. The main reason this happened is that Gerrit has always made it easier to screw up than do it right when creating your project (it's not just that you *can* screw up, but that the defaults *encourage* a non-admin to screw up).

If it was the mediawiki-core group, that might scale. It's a far smaller group. The whole thing is rather silly I'm afraid as I've never scaled this process out beyond Christian [@QChris] and myself really.
I think this should be a much *much* larger group in Phabricator than we've done in Gerrit. It's much harder to screw yourself over.

Permissions to be defined (please correct / fine tune if needed):

  • Who can initially import existing repos (Gerrit, SVN, GitHub) and how to join this group.
  • Who can initially create new repos and how to join this group.

Related Objects

StatusSubtypeAssignedTask
ResolvedDzahn
Resolved Cmjohnson
ResolvedDzahn
ResolvedDanny_B
ResolvedPaladox
StalledDzahn
Resolved demon
Resolved demon
ResolvedPaladox
ResolvedNemo_bis
Resolved demon
ResolvedPaladox
ResolvedKrenair
Resolved mmodell
InvalidNone
DeclinedNone
Resolved demon
InvalidNone
InvalidNone
ResolvedQgil
DeclinedNone
DuplicateNone
DeclinedNone
Resolvedgreg

Event Timeline

Qgil raised the priority of this task from to Low.
Qgil updated the task description. (Show Details)
Qgil added a project: Gerrit-Migration.
Qgil changed Security from none to None.
Qgil added subscribers: Aklapper, Qgil, greg and 16 others.

In Gerrit we had people request repositories on a wiki page https://www.mediawiki.org/wiki/Gerrit/New_repositories which has some guidelines. I don't think I ever used that page though :D

The list of people allowed to create new repositories in Gerrit is the group "Project and Group Creators" https://gerrit.wikimedia.org/r/#/admin/groups/119,members which also includes Gerrit administrators https://gerrit.wikimedia.org/r/#/admin/groups/1,members

In Phabricator I guess we can create a group that contains those people and let them virally add more folks to it.

  • Repos from SVN require shell access to the SVN box, so that will remain only something that a limited number of people can do.
  • Git repos are mostly the same so we'll be able to give this group to anyone in theory--no special access needed.

Really we need to make sure we're clear on naming conventions (especially on callsigns since those cannot ever change).

+1 to the idea of making it a viral group.

In T1009#17490, @Chad wrote:
  • Repos from SVN require shell access to the SVN box, so that will remain only something that a limited number of people can do.
  • Git repos are mostly the same so we'll be able to give this group to anyone in theory--no special access needed.

Really we need to make sure we're clear on naming conventions (especially on callsigns since those cannot ever change).

People added to this group also need to be clear on the policy that repositories are open source (https://www.mediawiki.org/wiki/Template:Extension/Expectations).

In T1009#21839, @Mattflaschen wrote:
In T1009#17490, @Chad wrote:
  • Repos from SVN require shell access to the SVN box, so that will remain only something that a limited number of people can do.
  • Git repos are mostly the same so we'll be able to give this group to anyone in theory--no special access needed.

Really we need to make sure we're clear on naming conventions (especially on callsigns since those cannot ever change).

People added to this group also need to be clear on the policy that repositories are open source (https://www.mediawiki.org/wiki/Template:Extension/Expectations).

I don't see that as a problem.

Proposal

  • Create a Diffusion-Repository-Administrators group in Phabricator that gives members the needed permissions to create/edit/etc repositories in Phab.
    • {{DONE}}
  • To become a member of that group, one must:
    • file a task requesting access
    • have read and agreed to the repository guidelines (mostly naming conventions, really, and the "everything hosted here is open source, please use an OSI-approved license" obvious bit)
    • show a legitimate need to be a member of the group
    • a current member of the group reviews and adds them or declines

This will be documented here: https://www.mediawiki.org/wiki/Phabricator/Diffusion#Requesting_a_new_repository

I've already taken a first stab at cleaning up that page and documenting this there.

I would feel a better if we were backing up repo's hosted in Phab to somewhere not iridium before we do this. Right now it's a primary source for only scap3 (I think?), and it's true we have repo's scattered about on dev laptops, but a full recovery of known state without a backup from iridium would be a huge hassle and maybe even impossible.

I would feel a better if we were backing up repo's hosted in Phab to somewhere not iridium before we do this. Right now it's a primary source for only scap3 (I think?), and it's true we have repo's scattered about on dev laptops, but a full recovery of known state without a backup from iridium would be a huge hassle and maybe even impossible.

Should be easy to configure backula to backup the /srv/phab/repos directory, we do the same in Gerrit.

I would feel a better if we were backing up repo's hosted in Phab to somewhere not iridium before we do this. Right now it's a primary source for only scap3 (I think?), and it's true we have repo's scattered about on dev laptops, but a full recovery of known state without a backup from iridium would be a huge hassle and maybe even impossible.

Should be easy to configure backula to backup the /srv/phab/repos directory, we do the same in Gerrit.

T120045: Configure backula to backup the /srv/phab/repos directory