Page MenuHomePhabricator

Request creation of globalgadgets VPS project
Closed, DeclinedPublic

Description

Project Name: globalgadgets

Wikitech Usernames of requestors: @Sylvain_WMFr @0x010C @Ltrlg @Toniher @Framawiki

Purpose: During the T181381: French Wikimedia projects Pre-Hackathon we've been working on the follow up of T159334: Discussion: Create a Central Gadget Taskforce, we want to create a git server to store gadgets.

Brief description: A git repository (Gitlab or Gogs probably) to host centralized and internationalized gadgets that will be pushed on local wikis using bot.

How soon you are hoping this can be fulfilled: as soon as possible :)

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptApr 15 2018, 1:01 PM
Townie added a subscriber: Townie.Apr 15 2018, 3:00 PM
Elitre added a subscriber: Elitre.Apr 16 2018, 1:17 PM
Andrew added a subscriber: Andrew.Apr 17 2018, 3:33 PM

Can you tell me more about why this isn't a candidate for a new Gerrit project?

This is currently discussed at T194971.

I put here the pros and cons as discussed during the meetup (thanks @Trizek-WMF ):

Pros:

  • on Gerrit, people will not be able to edit/contribute. A lot of other tools are hosted elsewhere for that.
    • (side note) Release Engineering should be aware of that and be asked if they consider to offer a different tool/interface.
  • More advanced code review features are overkill for a gadget project
  • Possible to get a grant to have a specific server.

Cons:

  • Gerrit is used on all other projects
  • More advanced code review features
  • What about the Gerrit to GitLab migration?
  • Multiplies the number of used tools

Another con: No automated backups in Cloud VPS.

"on Gerrit, people will not be able to edit/contribute." - what? On Gerrit you definitely can edit/contribute, that's what it's there for
"More advanced code review features are overkill for a gadget project" - gadgets run in the context of other users sessions and should be subject to the same level of scrutiny as official extension changes
"Possible to get a grant to have a specific server." - you mean a financial grant? for running a separate server instead of using the existing one?

@Krenair makes some good points above. Additionally I find the con list confusing:

Cons:

Gerrit is used on all other projects

How is this a con?

More advanced code review features

How is this a con?

What about the Gerrit to GitLab migration?

What does this mean?

Multiplies the number of used tools

Gerrit is already used by every developer in the WMF ecosystem I imagine.

chasemp triaged this task as Normal priority.May 29 2018, 10:10 PM

@chasemp as I understood it the pros and cons are about creating the project, so pros there are against using gerrit and cons are pro-gerrit.

While having a sanely setup repo in Cloud VPS is non-trivial, I do think it is a difficult proposition to force gerrit use for gadget editing on wikis. Right now all the review for gadgets is through wiki-pages, do we want to jump straight to gerrit? I fear that much of change will decrease the likelihood of adoption of any code-review for gadgets by the communities.

That makes a lot more sense, thanks Chico

bd808 added a comment.EditedJul 12 2018, 6:28 PM

Personally, I think the core idea is great but that the git hosting and code review should be handled through gerrit rather than a specialized hosting service run in an inherently insecure environment.

We talked this over in the Cloud Services team meeting again this week. We have quite a few concerns about the long term stability and viability of creating an isolated git hosting solution for the basic problem. We decided however that these concerns are orthogonal to the actual request being made. It is not our team's duty or mandate to control what can be attempted by the technical community.

On a less theoretical and more practical note, we do have a concern that this git hosting will need to be carefully thought out in order to comply with https://wikitech.wikimedia.org/wiki/Wikitech:Cloud_Services_Terms_of_use. Specifically, authentication to the git service itself must not use Wikimedia developer accounts (Wikimedia's LDAP server). It also should not use local passwords if at all possible.

We are willing to go ahead with the creation of the Cloud VPS project if the requesting users are ready to put it to use and willing to abide by the Terms of Use.

bd808 changed the task status from Open to Stalled.Oct 14 2018, 11:02 PM

No feedback from project requestors

@Ash_Crow @0x010C @Ltrlg @Toniher @Framawiki: Please reply to the latest comments here, otherwise this task will end up as declined. :-/ Thanks!

Sylvain_WMFr updated the task description. (Show Details)Nov 26 2018, 5:13 PM

I had no time to work on this since Barcelona, but basically:

  • right now, none of the people interested in participating is this has spoken in favor of gerrit. if there is no intersection between "users who want to write centralized gadgets" and "users willing to use gerrit", there is no point on doing this there.
  • if hosting it on the Cloud Services makes it harder to do it (because of the terms of use or anything else), then it is probably better to host it on another platform.

At this point, it seems easier to host it either on a gitlab on a Wikimédia France server or on a public git instance like framagit.org, test the centralization of some gadgets on it and see for a potential migration to gerrit or a dedicated server after having real feedback (I mean, migrating a repository from one git instance to another is easy), instead of using the Wikimedia Foundation resources.

Elitre removed a subscriber: Elitre.Nov 28 2018, 2:32 PM
Tgr added a subscriber: Tgr.Jan 4 2019, 1:40 AM

Sorry but this seems like a terrible idea. If you want to use Gitlab or Github or whatever instead of Gerrit, that might be a reasonable discussion, but don't go and roll your own repository in an inherently insecure environment where anyone can change the javascript that will be deployed to production, without any ability to detect or audit it.

Using a WMFR or other private server is slightly better, but only slightly. You are basically asking Wikimedia operations to include your website in the production infrastructure as a potential weakest link. How much do you trust it to match the security expectations for a top10 website? It's not totally unheard of (Translatewiki is in a somewhat similar situation), but it's not something to take lightly, either.

I assume the recent silence realistically makes this task "declined"? :-/

Aklapper closed this task as Declined.Mar 11 2019, 11:24 AM

Boldly declining per discussion.