Re: Allow non-packagers to push to dist-git forks without fedpkg
On Mon, Apr 25, 2022 at 04:14:03PM -0400, Matthew Miller wrote: > On Fri, Apr 22, 2022 at 03:44:01PM +0200, Miro Hrončok wrote: > > If I understand correctly, SSH access is a security/legal/whatever > > no-go for nonpackagers, but can we offer some kind of standard git > > mechanism to authenticate? API tokens maybe? > > If there is a technical thing we want to do to make Fedora easier to > contribute to, we should figure out how to remove any legal (or "whatever") > blockers. And mitigate any security concerns. To my knowledge there's no legal issue around ssh access. It's simply that when we setup pkgs.fedoraproject.org so long ago, the way it was done was to add packagers as local accounts so they could ssh in. Non packagers don't have any account there, so they can't directly ssh in. Ideally we would just redo this so packagers don't have real accounts either, and just use a wrapper, but thats likely to be a bunch of work. kevin signature.asc Description: PGP signature ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: Allow non-packagers to push to dist-git forks without fedpkg
On Fri, Apr 22, 2022 at 03:44:01PM +0200, Miro Hrončok wrote: > If I understand correctly, SSH access is a security/legal/whatever > no-go for nonpackagers, but can we offer some kind of standard git > mechanism to authenticate? API tokens maybe? If there is a technical thing we want to do to make Fedora easier to contribute to, we should figure out how to remove any legal (or "whatever") blockers. And mitigate any security concerns. -- Matthew Miller Fedora Project Leader ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: Allow non-packagers to push to dist-git forks without fedpkg
On Fri, Apr 22, 2022 at 11:01:27AM -0400, Neal Gompa wrote: > On Fri, Apr 22, 2022 at 9:54 AM Miro Hrončok wrote: > > > > Hello folks, > > > > what would it take to allow non-packagers to push to dist-git forks without > > fedpkg? > > > > The instructions at > > https://docs.fedoraproject.org/en-US/ci/pull-requests/#_you_are_not_a_packager > > assume they run Fedora (or another distro with fedpkg), but this is > > extremely > > unfriendly to contributors who run other distros. > > > > The alternative is external pull request which is awesome in theory but > > quite > > tedious in practice. E.g. as a package maintainer, I cannot push my changes > > to > > a proposed external pull request. > > > > If I understand correctly, SSH access is a security/legal/whatever no-go for > > nonpackagers, but can we offer some kind of standard git mechanism to > > authenticate? API tokens maybe? > > > > If not, can we at least extract the fedpkg bits that do this and release > > that > > as a standalone easy-to-install software that we can offer or even package > > to > > other distributions? > > > > We should just turn on Pagure's ability to let you create API tokens > that can do HTTPS auth for git push on src.fedoraproject.org. The > janky setup we have now predates introducing support in Pagure itself. We have, but it's incompatible with the existing oauth setup, so we need to figure out how we can transition that without breaking everyone or get them both to work. :( kevin signature.asc Description: PGP signature ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: Allow non-packagers to push to dist-git forks without fedpkg
On Fri, Apr 22, 2022 at 9:54 AM Miro Hrončok wrote: > > Hello folks, > > what would it take to allow non-packagers to push to dist-git forks without > fedpkg? > > The instructions at > https://docs.fedoraproject.org/en-US/ci/pull-requests/#_you_are_not_a_packager > assume they run Fedora (or another distro with fedpkg), but this is extremely > unfriendly to contributors who run other distros. > > The alternative is external pull request which is awesome in theory but quite > tedious in practice. E.g. as a package maintainer, I cannot push my changes to > a proposed external pull request. > > If I understand correctly, SSH access is a security/legal/whatever no-go for > nonpackagers, but can we offer some kind of standard git mechanism to > authenticate? API tokens maybe? > > If not, can we at least extract the fedpkg bits that do this and release that > as a standalone easy-to-install software that we can offer or even package to > other distributions? > We should just turn on Pagure's ability to let you create API tokens that can do HTTPS auth for git push on src.fedoraproject.org. The janky setup we have now predates introducing support in Pagure itself. -- 真実はいつも一つ!/ Always, there's only one truth! ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: Allow non-packagers to push to dist-git forks without fedpkg
> On Apr 22, 2022, at 6:44 AM, Miro Hrončok wrote: > > Hello folks, > > what would it take to allow non-packagers to push to dist-git forks without > fedpkg? > > The instructions at > https://docs.fedoraproject.org/en-US/ci/pull-requests/#_you_are_not_a_packager > assume they run Fedora (or another distro with fedpkg), but this is > extremely unfriendly to contributors who run other distros. > > The alternative is external pull request which is awesome in theory but quite > tedious in practice. E.g. as a package maintainer, I cannot push my changes > to a proposed external pull request. > > If I understand correctly, SSH access is a security/legal/whatever no-go for > nonpackagers, but can we offer some kind of standard git mechanism to > authenticate? API tokens maybe? > > If not, can we at least extract the fedpkg bits that do this and release that > as a standalone easy-to-install software that we can offer or even package to > other distributions? > As frequently as I find myself working in a different environment due to various constraints, having the fedpkg bits available in other environments — even homebrew — sounds like a win in my opinion. signature.asc Description: Message signed with OpenPGP ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure