New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[META] Baseline MAINTAINERS, CODEOWNERS and external collaborator permissions #125
Comments
This looks great to me. Reminder to maintainers: review https://github.com/opensearch-project/.github/blob/main/RESPONSIBILITIES.md#becoming-a-maintainer in order to execute these activities according to the agreed policies. |
So if the problem is transparency, adding people as "collaborators" does not solve the problem. AFAIK, Only admins can see the "setting" tabs where collaborators live, so people will have to trust that codeowners/maintainers is correct (as opposed to today where org member can at least inspect the teams). Put another way, you haven't added a mechanism to codeowners/maintainers up-to-date, and you've reduced the number of people who can audit it. The benefit of teams is that we can make someone a "team maintainer" (with the ability to add and remove team members) without giving them any other additional permissions on the repo. The unintended consequence for moving to collaborators is that you have have to be an admin to add folks. Because of all the other things admins can do, I want to keep the number of admins down to a very small number. Now if the problem we're solving is "maintainers are getting added, and we want to slow that process down and add a gate to it" (which is a reasonable problem), then making it an admin-only function will do that. Now an interesting thing would be to say the ONLY way you can get added as a collaborator is if you're in codeowners/maintainers MD (e.g. tooling that automatically syncs one to the other). There's tooling out there to remove folks, so presumably we could have tooling to add folks as well...? |
@CEHENKLE Don't you have to be a member of the org to be added to a team? Assuming that's possible, isn't that the same problem of admin gating? |
@dblock , What is the motivation for using a list of maintainers in the CODEOWNERS file rather than the team identifier? The current approach has one fewer place to have to worry about when updating the current maintainers list. With this change, there are three things to change: 1) MAINTAINERS.md, 2) CODEOWNERS, 3) Team membership |
Teams are useful when granting r/w access to several repos, which shouldn't be allowed because each repo has a separate list of maintainers. We have 70 (!) teams rn. A team called
So I propose we get rid of teams to treat org members the same way as external collaborators. The nice thing about teams is that you can have admins of a team without being an admin of a repo. But the above arguments make it quickly difficult to manage.
I propose to get rid of teams altogether. CODEOWNERS can be further refined to have owners of parts of the repo. |
Thanks for the detailed explanation! The current problems make sense and I understand why repo permissions can help resolve this.
We will still have three places to change. Instead of the Team membership, we need to update the repo permissions. But, I understand the problem now so I'm onboard with this. |
One more use case is here opensearch-project/opensearch-build#3111 |
You mean some kind of automation that asks a person whether they want to be a maintainer? Personally I didn't need something like this. In the past month I've nominated 2 maintainers, so had to send a total of 4 emails (2 to existing maintainers and then one to the person I nominated) and open 2 PRs. It's really not that much. |
This is for baselining current maintainers. This way we can automate the baselining procedure to ask all maintainers every so often (the decided interval) if they want to continue being a maintainer. This is to ensure all repos are following the correct baselining procedure. |
@lezzago We introduced emeritus to allow maintainers to say that they no longer want to be involved, and to still recognize their past contributions. How would actively removing folks from MAINTAINERS because they went inactive have any material impact? FYI I am planning to extend https://github.com/opensearch-project/project-tools |
What is the definition of "contribute"? |
(thanks to @ananzh) |
@seanneumann Here is a cleaner version of your list
Trick is to just reference the url of the issue/PR in list form, e.g.
|
Thanks @peternied! I'm a little to quick to copy and paste. :) |
But do you have The Key on your desk like I do? |
There is no such Baseline issue in dashboard-notifications, @dblock could you please sync up one on this repo as well? |
In this scheme, should maintainers should be able to add new maintainers to the repositories without intervention from the opensearch-project/admins? I thought yes, but I just reopened opensearch-project/dashboards-search-relevance#146 because I'm unable to access Settings -> Collaborators on the repo. |
I made one in opensearch-project/dashboards-notifications#31, but please don't hesitate to open issues for things like these next time and I can always link above. |
You're not. It's purposely centralized with the admin team to have some additional controls. I am working on a proposal to change that and have additional admins in each repo. We would need ways to audit permission changes better to support that. |
Based on requirement here: opensearch-project/.github#125 CODEOWNER should include a subset or all maintainers. Issue Resolve opensearch-project#2878 Signed-off-by: Anan Zhuang <ananzh@amazon.com>
Based on requirement here: opensearch-project/.github#125 CODEOWNER should include a subset or all maintainers. Based on the request, update maintainers. Issue Resolve opensearch-project#2878 Signed-off-by: Anan Zhuang <ananzh@amazon.com>
Based on requirement here: opensearch-project/.github#125 CODEOWNER should include a subset or all maintainers. Based on the request, update maintainers. Issue Resolve opensearch-project#2878 Signed-off-by: Anan Zhuang <ananzh@amazon.com>
Based on requirement here: opensearch-project/.github#125 CODEOWNER should include a subset or all maintainers. Based on the request, update maintainers. Issue Resolve #2878 Signed-off-by: Anan Zhuang <ananzh@amazon.com>
Based on requirement here: opensearch-project/.github#125 CODEOWNER should include a subset or all maintainers. Based on the request, update maintainers. Issue Resolve #2878 Signed-off-by: Anan Zhuang <ananzh@amazon.com>
Based on requirement here: opensearch-project/.github#125 CODEOWNER should include a subset or all maintainers. Based on the request, update maintainers. Issue Resolve #2878 Signed-off-by: Anan Zhuang <ananzh@amazon.com>
Verified all lists of MAINTAINERS, CODEOWNERS, and actual permissions. Removed all groups with more than triage access from all repos. |
Based on requirement here: opensearch-project/.github#125 CODEOWNER should include a subset or all maintainers. Based on the request, update maintainers. Issue Resolve opensearch-project#2878 Signed-off-by: Anan Zhuang <ananzh@amazon.com>
What/Why
What are you proposing?
There are some common differences across repos in opensearch-project when it comes to maintainers, codeowners and repository permissions.
The proposal is to correct and align on all the issues above in a single campaign.
What problems are you trying to solve?
What will it take to execute?
First, baseline MAINTAINERS if you've never done that.
Verified
The text was updated successfully, but these errors were encountered: