METADATA push access limited to Julia committers

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

METADATA push access limited to Julia committers

Stefan Karpinski
There's been an increasing amount of chaos on the METADATA repository due to the large number of people who have commit access to it. Because of this, I've restricted push access to people who have commit access to julia itself. Going forward, there will need to be broader changes to how we deal with registering and tagging new packages and versions, but for now this should keep things a little saner. If you want to register a new package or tag a new version of an existing package, you should be able to do so using pull requests and someone with commit access will merge those PRs once CI passes. Sorry for the additional hassle.

Stefan

Reply | Threaded
Open this post in threaded view
|

Re: METADATA push access limited to Julia committers

Tony Kelman
Even people with commit access should really go through PR's rather than direct pushes to METADATA (and base Julia too for that matter). Otherwise a mis-tag could cause Travis to start failing for unrelated innocent PR's. And new packages should really go through a bit of name bikeshedding/review even if authored by an established contributor.


On Thursday, September 10, 2015 at 8:45:33 AM UTC-7, Stefan Karpinski wrote:
There's been an increasing amount of chaos on the METADATA repository due to the large number of people who have commit access to it. Because of this, I've restricted push access to people who have commit access to julia itself. Going forward, there will need to be broader changes to how we deal with registering and tagging new packages and versions, but for now this should keep things a little saner. If you want to register a new package or tag a new version of an existing package, you should be able to do so using pull requests and someone with commit access will merge those PRs once CI passes. Sorry for the additional hassle.

Stefan

Reply | Threaded
Open this post in threaded view
|

Re: METADATA push access limited to Julia committers

milktrader
In reply to this post by Stefan Karpinski
Any chance of a day pass for when package developers have a flurry of tags? 

I'm not sure if this is possible, but a restricted privileges setup would be nice, where package developers are free to push updates, but not commit new packages, either others or their own. 

On Thursday, September 10, 2015 at 11:45:33 AM UTC-4, Stefan Karpinski wrote:
There's been an increasing amount of chaos on the METADATA repository due to the large number of people who have commit access to it. Because of this, I've restricted push access to people who have commit access to julia itself. Going forward, there will need to be broader changes to how we deal with registering and tagging new packages and versions, but for now this should keep things a little saner. If you want to register a new package or tag a new version of an existing package, you should be able to do so using pull requests and someone with commit access will merge those PRs once CI passes. Sorry for the additional hassle.

Stefan

Reply | Threaded
Open this post in threaded view
|

Re: METADATA push access limited to Julia committers

Patrick O'Leary
Ultimately, a homu-like GitHub bot (http://homu.io/) could autocommit certain METADATA changes--I think this has been discussed, but no one has had the opportunity to set something up.

On Tuesday, September 15, 2015 at 10:54:23 AM UTC-5, Milktrader wrote:
Any chance of a day pass for when package developers have a flurry of tags? 

I'm not sure if this is possible, but a restricted privileges setup would be nice, where package developers are free to push updates, but not commit new packages, either others or their own. 

On Thursday, September 10, 2015 at 11:45:33 AM UTC-4, Stefan Karpinski wrote:
There's been an increasing amount of chaos on the METADATA repository due to the large number of people who have commit access to it. Because of this, I've restricted push access to people who have commit access to julia itself. Going forward, there will need to be broader changes to how we deal with registering and tagging new packages and versions, but for now this should keep things a little saner. If you want to register a new package or tag a new version of an existing package, you should be able to do so using pull requests and someone with commit access will merge those PRs once CI passes. Sorry for the additional hassle.

Stefan

Reply | Threaded
Open this post in threaded view
|

Re: METADATA push access limited to Julia committers

Stefan Karpinski
I think this is the best approach: automerging PRs that pass CI and only introduce new versions of existing packages or change the requirements of existing versions.

On Tue, Sep 15, 2015 at 1:32 PM, Patrick O'Leary <[hidden email]> wrote:
Ultimately, a homu-like GitHub bot (http://homu.io/) could autocommit certain METADATA changes--I think this has been discussed, but no one has had the opportunity to set something up.


On Tuesday, September 15, 2015 at 10:54:23 AM UTC-5, Milktrader wrote:
Any chance of a day pass for when package developers have a flurry of tags? 

I'm not sure if this is possible, but a restricted privileges setup would be nice, where package developers are free to push updates, but not commit new packages, either others or their own. 

On Thursday, September 10, 2015 at 11:45:33 AM UTC-4, Stefan Karpinski wrote:
There's been an increasing amount of chaos on the METADATA repository due to the large number of people who have commit access to it. Because of this, I've restricted push access to people who have commit access to julia itself. Going forward, there will need to be broader changes to how we deal with registering and tagging new packages and versions, but for now this should keep things a little saner. If you want to register a new package or tag a new version of an existing package, you should be able to do so using pull requests and someone with commit access will merge those PRs once CI passes. Sorry for the additional hassle.

Stefan


Reply | Threaded
Open this post in threaded view
|

Re: METADATA push access limited to Julia committers

Simon Kornblith
(and are submitted by someone with commit access to the package's repository)

On Tuesday, September 15, 2015 at 2:28:12 PM UTC-4, Stefan Karpinski wrote:
I think this is the best approach: automerging PRs that pass CI and only introduce new versions of existing packages or change the requirements of existing versions.

On Tue, Sep 15, 2015 at 1:32 PM, Patrick O'Leary <<a href="javascript:" target="_blank" gdf-obfuscated-mailto="YKVdkgNlAwAJ" rel="nofollow" onmousedown="this.href=&#39;javascript:&#39;;return true;" onclick="this.href=&#39;javascript:&#39;;return true;">patrick...@...> wrote:
Ultimately, a homu-like GitHub bot (<a href="http://homu.io/" target="_blank" rel="nofollow" onmousedown="this.href=&#39;http://www.google.com/url?q\75http%3A%2F%2Fhomu.io%2F\46sa\75D\46sntz\0751\46usg\75AFQjCNGo4Khiq7bqcCRtuTICCINyLOBf6g&#39;;return true;" onclick="this.href=&#39;http://www.google.com/url?q\75http%3A%2F%2Fhomu.io%2F\46sa\75D\46sntz\0751\46usg\75AFQjCNGo4Khiq7bqcCRtuTICCINyLOBf6g&#39;;return true;">http://homu.io/) could autocommit certain METADATA changes--I think this has been discussed, but no one has had the opportunity to set something up.


On Tuesday, September 15, 2015 at 10:54:23 AM UTC-5, Milktrader wrote:
Any chance of a day pass for when package developers have a flurry of tags? 

I'm not sure if this is possible, but a restricted privileges setup would be nice, where package developers are free to push updates, but not commit new packages, either others or their own. 

On Thursday, September 10, 2015 at 11:45:33 AM UTC-4, Stefan Karpinski wrote:
There's been an increasing amount of chaos on the METADATA repository due to the large number of people who have commit access to it. Because of this, I've restricted push access to people who have commit access to julia itself. Going forward, there will need to be broader changes to how we deal with registering and tagging new packages and versions, but for now this should keep things a little saner. If you want to register a new package or tag a new version of an existing package, you should be able to do so using pull requests and someone with commit access will merge those PRs once CI passes. Sorry for the additional hassle.

Stefan


Reply | Threaded
Open this post in threaded view
|

Re: METADATA push access limited to Julia committers

Tony Kelman
In reply to this post by Stefan Karpinski

We should probably do an automated system for the future more open namespaced metadata, but even version bumps within the "curated" subset should require at least minimal human review as a sanity check against obviously broken or malicious code.




On Tue, Sep 15, 2015 at 11:28 AM -0700, "Stefan Karpinski" <[hidden email]> wrote:

I think this is the best approach: automerging PRs that pass CI and only introduce new versions of existing packages or change the requirements of existing versions.

On Tue, Sep 15, 2015 at 1:32 PM, Patrick O'Leary <[hidden email]> wrote:
Ultimately, a homu-like GitHub bot (http://homu.io/) could autocommit certain METADATA changes--I think this has been discussed, but no one has had the opportunity to set something up.


On Tuesday, September 15, 2015 at 10:54:23 AM UTC-5, Milktrader wrote:
Any chance of a day pass for when package developers have a flurry of tags? 

I'm not sure if this is possible, but a restricted privileges setup would be nice, where package developers are free to push updates, but not commit new packages, either others or their own. 

On Thursday, September 10, 2015 at 11:45:33 AM UTC-4, Stefan Karpinski wrote:
There's been an increasing amount of chaos on the METADATA repository due to the large number of people who have commit access to it. Because of this, I've restricted push access to people who have commit access to julia itself. Going forward, there will need to be broader changes to how we deal with registering and tagging new packages and versions, but for now this should keep things a little saner. If you want to register a new package or tag a new version of an existing package, you should be able to do so using pull requests and someone with commit access will merge those PRs once CI passes. Sorry for the additional hassle.

Stefan


Reply | Threaded
Open this post in threaded view
|

Re: METADATA push access limited to Julia committers

Tom Breloff
@tkelmen: Agreed.  There's also the issue of security.  I was surprised to see so many people with major commit access that don't even have two-factor authentication turned on.

On Tue, Sep 15, 2015 at 2:42 PM, <[hidden email]> wrote:

We should probably do an automated system for the future more open namespaced metadata, but even version bumps within the "curated" subset should require at least minimal human review as a sanity check against obviously broken or malicious code.




On Tue, Sep 15, 2015 at 11:28 AM -0700, "Stefan Karpinski" <[hidden email]> wrote:

I think this is the best approach: automerging PRs that pass CI and only introduce new versions of existing packages or change the requirements of existing versions.

On Tue, Sep 15, 2015 at 1:32 PM, Patrick O'Leary <[hidden email]> wrote:
Ultimately, a homu-like GitHub bot (http://homu.io/) could autocommit certain METADATA changes--I think this has been discussed, but no one has had the opportunity to set something up.


On Tuesday, September 15, 2015 at 10:54:23 AM UTC-5, Milktrader wrote:
Any chance of a day pass for when package developers have a flurry of tags? 

I'm not sure if this is possible, but a restricted privileges setup would be nice, where package developers are free to push updates, but not commit new packages, either others or their own. 

On Thursday, September 10, 2015 at 11:45:33 AM UTC-4, Stefan Karpinski wrote:
There's been an increasing amount of chaos on the METADATA repository due to the large number of people who have commit access to it. Because of this, I've restricted push access to people who have commit access to julia itself. Going forward, there will need to be broader changes to how we deal with registering and tagging new packages and versions, but for now this should keep things a little saner. If you want to register a new package or tag a new version of an existing package, you should be able to do so using pull requests and someone with commit access will merge those PRs once CI passes. Sorry for the additional hassle.

Stefan



Reply | Threaded
Open this post in threaded view
|

Re: METADATA push access limited to Julia committers

Stefan Karpinski
In reply to this post by Simon Kornblith
On Tue, Sep 15, 2015 at 2:41 PM, Simon Kornblith <[hidden email]> wrote:
(and are submitted by someone with commit access to the package's repository)

Right, that's a fairly important criterion. PRs that don't meet this can be merged but should be merged manually.