Fedora-Council/tickets ticket #456: Gitlab Groups and Permissions

@ryanlerch filed Fedora-Council/tickets ticket #456. Discuss here and record votes and decisions in the ticket.

Ticket text:

Hey @ryanlerch, this is a good topic.

I am +1 to require FAS group links so that FPCA is not a concern with contributions. I wonder if we are able to do this in Pagure though (i.e. is an unsigned account able to contribute and commit on Pagure?).

While I think the link should be enforced for MRs and commits, I don’t feel the same for issues. I wonder whether it would be possible for issues to be globally open to anyone on GitLab, FPCA or not. This is a sticky point for some teams collaborating more widely; some people get a message that an issue is locked only to maintainers, which not only is an unhelpful/untrue message, but it is also off-putting to others who want to participate in Fedora without being closely connected as a registered contributor.

@ryanlerch filed Fedora-Council/tickets ticket #456. Discuss here and record votes and decisions in the ticket.

Ticket text:

[quote=“@ryanlerch”]

When the Fedora gitlab instance was created, after some discussion, it was decided that permissions be handled by FAS Groups which then assign permissions to certain roles in gitlab. This was chosen as the best way forward, for one main reason: everyone contributing to a group or repo in gitlab/Fedora would have to log in using a Fedora Account, and signed the FPCA.

Well, thats not how I remember it. I recall we setup the fas groups
setup, but decided it would be ok to let particular groups manage things
in gitlab if they wanted to. Perhaps I misunderstood, but thats what I
recall from the saml2 setup. :wink:

Currently, it is possible for a group to add people not associated with a FAS account, (primarily if the SAML group linking is not set up or removed by the group owner). And we have one sig expliciity asking to just manage permissions with gitlab – which opens that sig up to adding users without FAS accounts or signed the FPCA: https://pagure.io/fedora-infrastructure/issue/11326

The question here is, should we enforce groups to use the SAML/FAS group links to ensure users have a FAS account / have signed the FPCA?
[/quote]

I guess I’d say thats a legal question?

Some of the content on gitlab is not content we distribute as ‘fedora’
(except, I guess if you consider having it simply exist under
fedora · GitLab is making it distributed by fedora).

Hey @ryanlerch, this is a good topic.

I am +1 to require FAS group links so that FPCA is not a concern with contributions. I wonder if we are able to do this in Pagure though (i.e. is an unsigned account able to contribute and commit on Pagure?).

You will have to be more explicit when you say ‘pagure’. :slight_smile:

pagure.io used to have such a restriction and it was removed because
pagure.io was setup to be a ‘general source forge’ for any open source
work, and wasn’t something ‘fedora’ distributed.

src.fedoraproject.org / packages do require packagers to merge any PR’s
or push any direct commits and they must have acked the FPCA.
And we do distribute that content.

While I think the link should be enforced for MRs and commits, I don’t feel the same for issues. I wonder whether it would be possible for issues to be globally open to anyone on GitLab, FPCA or not. This is a sticky point for some teams collaborating more widely; some people get a message that an issue is locked only to maintainers, which not only is an unhelpful/untrue message, but it is also off-putting to others who want to participate in Fedora without being closely connected as a registered contributor.

Yeah, I don’t think there’s an option for that in gitlab, but I could be
wrong. (The gitlab prefs are vast :slight_smile:

I suspect we would need a Legal consultation for this, in order to move forward confidently.

Knowing how Pagure worked is helpful though. This is a hard one for me. I see value in making sure we know someone contributing intellectual property (IP) to Fedora is doing so under open licenses and that Fedora has a right in perpuity to use that IP.

However, the GitLab quirks are awkward. I think the fact that anyone on GitLab dot com has to link a FAS account to open issues, comment on things, or engage in general makes us lose the value of being in a larger git forge ecosystem. Many people who are more casual drive-through contributors may never cross that FAS barrier. It does stop us from getting more engagement and participation from folks who might otherwise not contribute.

Maybe this is the kind of reason why Richard Fontana opened a ticket a while back about abolished the FPCA.

I’d be curious to hear opinions from others on what seems best to do.

Yeah… perhaps @ref and/or @jlovejoy could chime in?

The other issue thats kind of messy with the SAML2 groups is that you need a seperate group for every gitlab power level, which means you need like 5 groups per project, so thats a lot of groups in the end. ;(

Also, @sgallagh might have some input, I think he knows the gitlab auth setup pretty well, and we might be missing something?

1 Like

The Gitlab account thing is turning out to be a mess for more reasons than this. After Summit next week, I want to push harder on our options for our own dedicated Gitlab.

@ref raised the issue here Issue #410: Abolish Fedora Project Contributor Agreement - tickets - Pagure.io as a matter for the Fedora Council and looks like it was discussed here: Fedora-Council/tickets ticket #410: Abolish Fedora Project Contributor Agreement - #5 by kevin

Looks like it was closed as “deferred” - not sure what that means process-wise for re-opening?

We can reopen. At the time, several council members felt that there were unanswered practical questions.

I triaged this ticket as an agenda time for the 2023-06-07 Council meeting at 2023-06-07T14:00:00Z.

Discussed in 2023-06-07 Council meeting.


The question here is, should we enforce groups to use the SAML/FAS group links to ensure users have a FAS account / have signed the FPCA?

The Council approves (+3/0/-0) the continued use of the GitLab SAML link for membership to the Fedora GitLab.com organization (and thus, the FPCA requirement), but participation in the Fedora namespace repositories and issue trackers should not require a FAS-linked GitLab account to participate.

There was a short conversation that long-term, we aren’t really happy with this integration as-is but this is because we have been talking about better options for git forges in general for a while. There were rumblings about a dedicated GitLab platform just for Fedora (e.g. git.fedoraproject.org et al) but right now, this is a capacity-related planning question and should not block this ticket.

I closed the Pagure ticket as resolved.

In this context: For me as a packager with an existing GitLab account, it is not clear what “To allow fedora to manage your GitLab account” means, which is what you get when you are signed in to your GitLab account and click that “link” link. It does sound scary and much more than just “linking”.

If you click that link without being signed in then a GitLab account is created automatically - that does not sound right either. The confirmation e-mail says:

To ensure no loss of personal content, this account should only be used for matters related to
fedora.
For individual use, create a separate account under your personal email address, not tied to the
Enterprise email domain or group.

This all sounds way to enterprisey and does not match an individual contributor at all - why should I use separate GitLab accounts for Fedora work vs. other OSS work?

So, not wanting to link is not so much about the FPCA (which I have signed), at least in my case and possibly other packagers’ cases, but about the issues above.

I mean: My fedora-e-mail-alias is for Fedora work only, of course. And so would be a gitlab user on a Fedora gitlab instance. But not a user on the gitlab.com instance which happens to participate in the Fedora group, too.

@mjg I wonder if we could relieve some of these concerns in the guide that @gui1ty wrote up about linking with GitLab.

I am pretty sure it was content written by @gui1ty, but now I cannot find the PR/MR where this was written up. I recall that it was not yet merged at the time when I saw it last.