X-Original-To: alpine-devel@lists.alpinelinux.org
Received: from newmail.tetrasec.net (unknown [172.21.74.12])
	by lists.alpinelinux.org (Postfix) with ESMTP id B50F65C455C
	for <alpine-devel@lists.alpinelinux.org>; Tue, 21 Mar 2017 08:57:06 +0000 (GMT)
Received: from ncopa-desktop.copa.dup.pw (15.63.200.37.customer.cdi.no [37.200.63.15])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	(Authenticated sender: n@tanael.org)
	by newmail.tetrasec.net (Postfix) with ESMTPSA id A57385A07E4;
	Tue, 21 Mar 2017 08:57:05 +0000 (GMT)
Date: Tue, 21 Mar 2017 09:56:58 +0100
From: Natanael Copa <ncopa@alpinelinux.org>
To: William Pitcock <nenolod@dereferenced.org>
Cc: alpine-dev <alpine-devel@lists.alpinelinux.org>
Subject: Re: [alpine-devel] RFC: Soft commit rights for established
 maintainers
Message-ID: <20170321095658.4b8824fa@ncopa-desktop.copa.dup.pw>
In-Reply-To: <CA+T2pCGmGxb8Tffx=fxa5KLZ4QcmKRux+chfaN96xYC7_PUCuQ@mail.gmail.com>
References: <CA+T2pCGmGxb8Tffx=fxa5KLZ4QcmKRux+chfaN96xYC7_PUCuQ@mail.gmail.com>
X-Mailer: Claws Mail 3.14.1 (GTK+ 2.24.28; x86_64-alpine-linux-musl)
X-Mailinglist: alpine-devel
Precedence: list
List-Id: Alpine Development <alpine-devel.lists.alpinelinux.org>
List-Unsubscribe: 
	<mailto:alpine-devel+unsubscribe@lists.alpinelinux.org?subject=unsubscribe>
List-Post: <mailto:alpine-devel@lists.alpinelinux.org>
List-Help: <mailto:alpine-devel+help@lists.alpinelinux.org?subject=help>
List-Subscribe: 
	<mailto:alpine-devel+subscribe@lists.alpinelinux.org?subject=subscribe>
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

On Tue, 21 Mar 2017 03:21:11 -0500
William Pitcock <nenolod@dereferenced.org> wrote:

> Hello,
> 
> As we all know, new contributors to Alpine who wish to become Alpine
> Developers go through a process to gain commit rights, meanwhile
> Maintainers have to find a Developer to commit their work by proxy.
> 
> As the project has grown, multiple people have introduced new channels
> for maintainers to work in the distribution, such as submitting
> patches through GitHub.  These contribution channels have yielded
> great results for Alpine, resulting in many new maintainers stepping
> forward, some of which have over time gone through the full process
> and gained commit rights.  To be quite clear: those initiatives have
> been largely successful.
> 
> However, working through the GitHub and Patchwork queues looking for
> packages to commit, I notice that a majority of the commits are just
> generated by abump, which got me thinking...
> 
> Is it really worth developer time to go through a bunch of abump
> patches? 

No, but we need verify that maintainer does not push ABI breaking
change without trigger rebuild of the needed packages.

> Is it worth making Alpine users wait for someone to go
> through and commit their changes?  In my opinion, most of the time,
> *new* packages are where the review is needed.  If the change
> ultimately is just a new SHA512 hash and $version change, then for
> established maintainers, I think it is alright to just accept the
> change into the distribution.  And if that is the case, then why not
> allow them to push the change themselves?
> 
> What I propose is quite simple -- we add a git hook to check incoming
> pushes with the following checks:
> 
> 1. Is the committer a proper dev?  If so, allow the commit through.
> 
> 2. Is the commit only changing packages (and thusly not configs stored
> in the aports tree)?  If not, reject the push.
> 
> 3. Are the changed APKBUILDs in question maintained by the person who
> committed the patch (or they have additional privilege, maybe we can
> add a Co-Maintainer field?).  If not, reject the push.
> 
> 4. Are the changed APKBUILDs on a whitelist for the maintainer?  If
> not, reject the push.
> 
> 5. If all the above checks pass (2 through 4), allow the push.
> 
> This would allow us to extend some "soft" commit rights to new
> prospective developers, which in turn gives *positive reinforcement*
> that they are on track to becoming a developer.  It also has the
> benefit of reducing the size of the aports patch queues and allowing
> us to concentrate review efforts on people who need those efforts the
> most.

I agree that this is the direction we want go.

A thing that might be simpler to implement ans a step in that direction
is a github hook that will check if the commiter is the same as the
maintainer, and if it is, add a label "maintainer" or similar to to the
pull request. That way we can fast-track maintainer updates.

we could have similar hooks for simple version bumps, add a label
"bump" or similar, regardless if it is maintainer or not.

Finally, if both the "bump" and "maintainer" label is set, then we
could merge of those.
 
> There is some minor risk that folks who have the soft commit rights
> extended to them may from time to time mess up and cause a builder to
> stall.  However, in these cases we can simply revert the push or
> correct it.  After all, that is what we would be doing with a broken
> GitHub submission.  Beyond that, quite honestly, we have all done it
> before anyway *and* if the maintainer breaks something, it gives them
> the possibility of fixing it themselves before it causes any major
> impact.  So overall, I would say that it is a very minor risk.
> 
> William
> 
> 
> ---
> Unsubscribe:  alpine-devel+unsubscribe@lists.alpinelinux.org
> Help:         alpine-devel+help@lists.alpinelinux.org
> ---
> 



---
Unsubscribe:  alpine-devel+unsubscribe@lists.alpinelinux.org
Help:         alpine-devel+help@lists.alpinelinux.org
---