Stream: t-compiler/wg-meta

Topic: GH permissions meeting


nikomatsakis (Mar 07 2019 at 22:09, on Zulip):

Should we try to schedule some kind of synchronous chat about how to manage GH permissions with the infra folks? (cc @simulacrum, @Aidan Hobson Sayers, @Pietro Albini)

I think before that it'd be good to do a bit of prep work into the various things we want to get out of GH permissions -- i.e., the roles we see, and the tasks those roles should perform

nikomatsakis (Mar 07 2019 at 22:09, on Zulip):

Maybe this is something we should have discussed in the meeting, @WG-compiler-meta :)

nikomatsakis (Mar 07 2019 at 22:09, on Zulip):

I'm feeling a lot of uncertainty about how to set things up right now and it's annoying me

davidtwco (Mar 07 2019 at 22:10, on Zulip):

I think this is a good idea. It could tie in with our ideas about "subscribing" to working groups too.

Pietro Albini (Mar 07 2019 at 22:15, on Zulip):

fine by me

Pietro Albini (Mar 07 2019 at 22:15, on Zulip):

(I'll reply tomorrow, too tired tonight)

nikomatsakis (Mar 07 2019 at 22:24, on Zulip):

Here are a few thoughts for said prep work:

davidtwco (Mar 07 2019 at 22:29, on Zulip):

Also: a uniform set of labels set up across repositories so that the entire organization can be searched during triage.

davidtwco (Mar 07 2019 at 22:29, on Zulip):

That isn't a permission thing but it's a GitHub setup thing.

davidtwco (Mar 07 2019 at 22:31, on Zulip):

For people who are newcomers, being able to be assigned is good, self-assign is also good, but a bonus perhaps

My understanding of current intent is that @triagebot will be used for this. Presumably adding people to some large read-only group.

For people who are contributing regularly, we want them to be able to self-assign

This could be grouped under the journeyperson role, but that's probably a higher bar than you envisioned.

nikomatsakis (Mar 07 2019 at 22:42, on Zulip):

Yeah, I was thinking that maybe we want something sooner than that

simulacrum (Mar 08 2019 at 02:03, on Zulip):

Synchronous chat seems good to me -- I'm fairly limited in scheduling but we can probably work something out.

nikomatsakis (Mar 12 2019 at 14:32, on Zulip):

@Pietro Albini let's discuss the matter of what privileges people should have here --

nikomatsakis (Mar 12 2019 at 14:32, on Zulip):

but should we actually schedule this meeting?

nikomatsakis (Mar 12 2019 at 14:32, on Zulip):

maybe for sometime this week?

nikomatsakis (Mar 12 2019 at 14:32, on Zulip):

I can create a doodle poll I guess

Pietro Albini (Mar 12 2019 at 14:32, on Zulip):

sure, a doodle works

Pietro Albini (Mar 12 2019 at 14:33, on Zulip):

and btw, you don't need to give core perms to anything, y'all are org owners

nikomatsakis (Mar 12 2019 at 14:40, on Zulip):

actually my schedule is fairly full :) I'm wondering if I need to be part of this meeting

nikomatsakis (Mar 12 2019 at 14:40, on Zulip):

I feel like I can add my constraints into a doc but I don't need to take active part

Pietro Albini (Mar 12 2019 at 14:42, on Zulip):

somehow I feel like you need to be part of the meeting

Pietro Albini (Mar 12 2019 at 14:43, on Zulip):

mostly because me and you apparently have really different opinions on perms :P

Pietro Albini (Mar 12 2019 at 14:43, on Zulip):

we could do voice since that's quicker

Pietro Albini (Mar 12 2019 at 14:53, on Zulip):

by the way, according to https://help.github.com/en/articles/repository-permission-levels-for-an-organization there is no action contributors should do that require admin perms

Pietro Albini (Mar 12 2019 at 14:54, on Zulip):

the only one that could be useful is overriding branch protection, but that shouldn't be done anyway

nikomatsakis (Mar 12 2019 at 22:28, on Zulip):

mostly because me and you apparently have really different opinions on perms :P

heh :) ok

davidtwco (Mar 13 2019 at 10:45, on Zulip):

Was a doodle poll created here?

nikomatsakis (Mar 13 2019 at 17:37, on Zulip):

No

nikomatsakis (Mar 13 2019 at 17:37, on Zulip):

Maybe someone can make one for next week?

nikomatsakis (Mar 13 2019 at 17:38, on Zulip):

Feeling a bit overwhelmed right now :)

nikomatsakis (Mar 14 2019 at 15:55, on Zulip):

How much time do we think we will need for this discussion? 30? 45? 60?

nikomatsakis (Mar 14 2019 at 15:59, on Zulip):

OK, here is a doodle poll for discussing how to setup our Github permissions setup to everyone's satisfaction. The poll purposefully super wide, I'll fill out my own availability in it later:

https://doodle.com/poll/ks499vkmibnhurse

cc @davidtwco, @Pietro Albini .

nikomatsakis (Mar 14 2019 at 16:00, on Zulip):

Not sure who else to cc =)

nikomatsakis (Mar 14 2019 at 16:00, on Zulip):

I guess @mw perhaps

davidtwco (Mar 14 2019 at 16:00, on Zulip):

Is the intent for this to be a text chat or video? (I have less video-chat-is-possible hours in the day than text-chat-is-possible hours in the day.)

nikomatsakis (Mar 14 2019 at 16:08, on Zulip):

I was assuming text

davidtwco (Mar 14 2019 at 16:08, on Zulip):

I've added it with video availability. Chat availability is more or less any time I'm awake. Will update with text availability. Done.

nikomatsakis (Mar 14 2019 at 16:08, on Zulip):

we also should do a bit of prep work

nikomatsakis (Mar 14 2019 at 16:09, on Zulip):

I was trying to create a paper with my "desiderata" but I didn't get too far yet

nikomatsakis (Mar 14 2019 at 16:09, on Zulip):

I suspect @davidtwco you kind of know what they are anyway ;)

davidtwco (Mar 14 2019 at 16:09, on Zulip):

I suspect davidtwco you kind of know what they are anyway ;)

I could make some educated guesses.

nikomatsakis (Mar 14 2019 at 16:11, on Zulip):

Roughly speaking I want to be able to

I want it to be very simple to apply these same privileges across many repositories.

Similarly, I want to be able to publish new versions of crates to crates.io with ease.

I want maintaining these lists to be something that can be distributed to others, not something only a select few can do.

nikomatsakis (Mar 14 2019 at 16:12, on Zulip):

Something I would find useful in prep for the meeting, probably @Pietro Albini already knows quite well, is a precise description of what capabilities each level of access gives (i.e., what are the things an admin can do that a "write user" cannot?). I guess the question would be which of these capabilities we might need and when.

davidtwco (Mar 14 2019 at 16:12, on Zulip):

Same expanded permissions (outwith r+/reviewing) of journeyperson or will this list be the journeyperson list?

nikomatsakis (Mar 14 2019 at 16:12, on Zulip):

I'm not sure :)

nikomatsakis (Mar 14 2019 at 16:12, on Zulip):

Either or both

davidtwco (Mar 14 2019 at 16:13, on Zulip):

:shrug: It's a detail.

Pietro Albini (Mar 19 2019 at 10:58, on Zulip):

@davidtwco @nikomatsakis so, 20pm UTC today?

davidtwco (Mar 19 2019 at 11:03, on Zulip):

Works for me.

nikomatsakis (Mar 19 2019 at 14:17, on Zulip):

Yeah, that works. I was just going to come in and mention that.

Pietro Albini (Mar 19 2019 at 20:00, on Zulip):

@davidtwco @nikomatsakis ?

nikomatsakis (Mar 19 2019 at 20:02, on Zulip):

coming shortly :) meeting running over

Pietro Albini (Mar 19 2019 at 20:02, on Zulip):

sure

nikomatsakis (Mar 19 2019 at 20:05, on Zulip):

ok

nikomatsakis (Mar 19 2019 at 20:07, on Zulip):

so, how shall we do this =)

nikomatsakis (Mar 19 2019 at 20:07, on Zulip):

@davidtwco did you wind up drawing notes, or shall we start from the ones I sketched above?

nikomatsakis (Mar 19 2019 at 20:12, on Zulip):

OK I guess @davidtwco is busy :)

nikomatsakis (Mar 19 2019 at 20:12, on Zulip):

@Pietro Albini -- did you see those notes I sketched out?

Pietro Albini (Mar 19 2019 at 20:12, on Zulip):

yep

Pietro Albini (Mar 19 2019 at 20:12, on Zulip):

so

nikomatsakis (Mar 19 2019 at 20:12, on Zulip):

I guess another starting point might be talking about your concerns

Pietro Albini (Mar 19 2019 at 20:13, on Zulip):

ok

Pietro Albini (Mar 19 2019 at 20:14, on Zulip):

my main concern is that we should try and give people the least amount of perms needed to do their work

nikomatsakis (Mar 19 2019 at 20:14, on Zulip):

Yeah. That makes sense. I know you feel I give out too many admin roles :)

nikomatsakis (Mar 19 2019 at 20:14, on Zulip):

I think most folks don't really want admin anyway

Pietro Albini (Mar 19 2019 at 20:14, on Zulip):

and they don't really need it

Pietro Albini (Mar 19 2019 at 20:14, on Zulip):

github has a table with all the permission levels https://help.github.com/en/articles/repository-permission-levels-for-an-organization

nikomatsakis (Mar 19 2019 at 20:14, on Zulip):

So I think what I would like is something like this:

nikomatsakis (Mar 19 2019 at 20:14, on Zulip):

a fixed set of GH teams

nikomatsakis (Mar 19 2019 at 20:14, on Zulip):

named after the role

nikomatsakis (Mar 19 2019 at 20:15, on Zulip):

e.g., "rust-lang/admin-perm", "rust-lang/write-perm", "rust-lang/read-perm"

nikomatsakis (Mar 19 2019 at 20:15, on Zulip):

and we can just add those 3 things to each project

nikomatsakis (Mar 19 2019 at 20:15, on Zulip):

and then use your amazing repo to populate them :)

nikomatsakis (Mar 19 2019 at 20:15, on Zulip):

is that even plausible?

nikomatsakis (Mar 19 2019 at 20:15, on Zulip):

then we can debate a bit about who gets which perms, but I care less about that

Pietro Albini (Mar 19 2019 at 20:15, on Zulip):

I wouldn't give admin perms away at all

Pietro Albini (Mar 19 2019 at 20:16, on Zulip):

the only thing a repo admin can do more than an user with write perms is merging changes overriding branch protection

Pietro Albini (Mar 19 2019 at 20:16, on Zulip):

all the other things that require admin perms are in the repo settings

nikomatsakis (Mar 19 2019 at 20:17, on Zulip):

ok, looking at the table, I agree with you :)

nikomatsakis (Mar 19 2019 at 20:17, on Zulip):

so you'd prefer to just keep that to the org owners

Pietro Albini (Mar 19 2019 at 20:17, on Zulip):

yep

Pietro Albini (Mar 19 2019 at 20:18, on Zulip):

for the {read,write}-perm teams, I don't know if it's really necessary

davidtwco (Mar 19 2019 at 20:18, on Zulip):

Sorry, things were busy at work. Feel free to throw tasks my way if there’s anything that needs done and I’ll check in later.

nikomatsakis (Mar 19 2019 at 20:18, on Zulip):

for the {read,write}-perm teams, I don't know if it's really necessary

necessary, maybe not, but it's be very convenient :)

nikomatsakis (Mar 19 2019 at 20:18, on Zulip):

what would you propose in terms of how to manage who gets read/write access?

Pietro Albini (Mar 19 2019 at 20:20, on Zulip):

what I think we should do is having compiler, journey and lang with write access to all the t-compiler repos, and then the appropriate wgs where needed

nikomatsakis (Mar 19 2019 at 20:20, on Zulip):

what is "journey"?

Pietro Albini (Mar 19 2019 at 20:20, on Zulip):

journeypeople

Pietro Albini (Mar 19 2019 at 20:20, on Zulip):

that name is too long :stuck_out_tongue:

nikomatsakis (Mar 19 2019 at 20:20, on Zulip):

I'm thinking of proposing a change to the concept anyway

nikomatsakis (Mar 19 2019 at 20:21, on Zulip):

but let's say this -- there are people who have r+ who are not full team members

nikomatsakis (Mar 19 2019 at 20:21, on Zulip):

let's call them "compiler team regulars" for now

nikomatsakis (Mar 19 2019 at 20:21, on Zulip):

are you saying, compiler + regulars + lang would have write access, plus (if desired) a WG?

Pietro Albini (Mar 19 2019 at 20:21, on Zulip):

yep

nikomatsakis (Mar 19 2019 at 20:21, on Zulip):

is there any reason not to create a "writers" team?

nikomatsakis (Mar 19 2019 at 20:22, on Zulip):

I guess we'd prefer to have (e.g.) libs team repositories where compiler folks don't have write access?

nikomatsakis (Mar 19 2019 at 20:22, on Zulip):

(I'm not sure that I care one way or the other)

Pietro Albini (Mar 19 2019 at 20:22, on Zulip):

yep, and especially infra ones like homu or central station

nikomatsakis (Mar 19 2019 at 20:22, on Zulip):

ok. I can live with that.

nikomatsakis (Mar 19 2019 at 20:22, on Zulip):

as long as it's a fairly clear, regular setup

Pietro Albini (Mar 19 2019 at 20:22, on Zulip):

we could definitely call it compiler-writers if you think that would be easier to manage

nikomatsakis (Mar 19 2019 at 20:22, on Zulip):

maybe what we can do is this

nikomatsakis (Mar 19 2019 at 20:22, on Zulip):

we could use nested teams

Pietro Albini (Mar 19 2019 at 20:23, on Zulip):

I don't actually know how nested teams work, never used them

nikomatsakis (Mar 19 2019 at 20:23, on Zulip):

i.e., we could have

or maybe even something like

nikomatsakis (Mar 19 2019 at 20:23, on Zulip):

that last one might be right

nikomatsakis (Mar 19 2019 at 20:23, on Zulip):

well, think subtyping :)

nikomatsakis (Mar 19 2019 at 20:24, on Zulip):

that is, a member of the nested team is also a member of all the enclosing teams

nikomatsakis (Mar 19 2019 at 20:24, on Zulip):

I think that's not 100% true but it's kind of true :)

nikomatsakis (Mar 19 2019 at 20:24, on Zulip):

I have to double check though

Pietro Albini (Mar 19 2019 at 20:24, on Zulip):

we could just simulate them with a children = ["compiler", "compiler-regulars", "lang"] in the team repo

Pietro Albini (Mar 19 2019 at 20:24, on Zulip):

I think with that pings would change though

nikomatsakis (Mar 19 2019 at 20:24, on Zulip):

pretty sure, though, that this would mean we could just give write to "compiler-lang-r+" and be done or something like that. The other advantage would be that we could ping compiler-regulars and also get the compiler team (which I would like)

nikomatsakis (Mar 19 2019 at 20:25, on Zulip):

I think with that pings would change though

yeah, I was thinking about pings

Pietro Albini (Mar 19 2019 at 20:25, on Zulip):

and @rust-lang/compiler-r+/compiler-team-regulars/compiler-team is not too fun to write :P

nikomatsakis (Mar 19 2019 at 20:25, on Zulip):

well we can pick better names :)

nikomatsakis (Mar 19 2019 at 20:25, on Zulip):

you wouldn't ping the r+ folks anyway

Pietro Albini (Mar 19 2019 at 20:25, on Zulip):

yeah, sure

nikomatsakis (Mar 19 2019 at 20:25, on Zulip):

but it might be nice to have something we can ping for like "hey, maybe somebody has some thouhts on this bug or might jump in and fix it"

nikomatsakis (Mar 19 2019 at 20:26, on Zulip):

that gets both the team members and the regular contributors

Pietro Albini (Mar 19 2019 at 20:26, on Zulip):

having a compiler-contributors managed through the team repo should be doable

Pietro Albini (Mar 19 2019 at 20:26, on Zulip):

well, once I write github synchronization...

nikomatsakis (Mar 19 2019 at 20:26, on Zulip):

anyway it's a relatively minor thing

nikomatsakis (Mar 19 2019 at 20:26, on Zulip):

ok I agree to the general plan

nikomatsakis (Mar 19 2019 at 20:26, on Zulip):

now, the question of tooling :)

nikomatsakis (Mar 19 2019 at 20:27, on Zulip):

under this plan, I think this means that if I want to add someone to the regular set, I would go open a repo on the "team repo"?

Pietro Albini (Mar 19 2019 at 20:27, on Zulip):

yep

nikomatsakis (Mar 19 2019 at 20:29, on Zulip):

(similarly, if I were adding someone to the compiler team)

Pietro Albini (Mar 19 2019 at 20:29, on Zulip):

that's the plan

Pietro Albini (Mar 19 2019 at 20:30, on Zulip):

the only two things that are still manual are github and rfcbot, but I hope to integrate them soonish

nikomatsakis (Mar 19 2019 at 20:30, on Zulip):

OK, so, here is a concern

nikomatsakis (Mar 19 2019 at 20:30, on Zulip):

with the plan

nikomatsakis (Mar 19 2019 at 20:31, on Zulip):

right now, there are folks (rust-push) who do things like label issues

nikomatsakis (Mar 19 2019 at 20:31, on Zulip):

as well as e.g. release triaging efforts

nikomatsakis (Mar 19 2019 at 20:31, on Zulip):

I might like those people to be able to control labels and things

nikomatsakis (Mar 19 2019 at 20:31, on Zulip):

is the plan that they will manage this through a bot?

nikomatsakis (Mar 19 2019 at 20:31, on Zulip):

(also, can people assign themselves to issues via that same bot?)

Pietro Albini (Mar 19 2019 at 20:32, on Zulip):

the rust-push team is really scaring me at the moment perms wise

Pietro Albini (Mar 19 2019 at 20:33, on Zulip):

@simulacrum is working on triagebot though, which already allows non-members to apply labels

nikomatsakis (Mar 19 2019 at 20:34, on Zulip):

the rust-push team is really scaring me at the moment perms wise

lol I thought it might :)

nikomatsakis (Mar 19 2019 at 20:35, on Zulip):

in any case I envision ultimately these repos being basically part of rustc, so I'm pretty sure we're going to want to be able to manage labels and things through some unified system

nikomatsakis (Mar 19 2019 at 20:35, on Zulip):

I suppose at worst that just means "some add'l team" to give perms to

nikomatsakis (Mar 19 2019 at 20:35, on Zulip):

but a bot is always nice too

Pietro Albini (Mar 19 2019 at 20:38, on Zulip):

yeah, the nice thing about the bot is that there is no manual action from us to give perms, it just works when you try it

nikomatsakis (Mar 19 2019 at 20:39, on Zulip):

right

Pietro Albini (Mar 19 2019 at 20:39, on Zulip):

about assigning people to issues, adding them to a read-only team could work

nikomatsakis (Mar 19 2019 at 20:39, on Zulip):

so, to make this plan a reality, what do we need

nikomatsakis (Mar 19 2019 at 20:39, on Zulip):

right, I thought we were talking about a bot for that

nikomatsakis (Mar 19 2019 at 20:40, on Zulip):

it seems like maybe we should have some kind of "affiliates" team that is just "read perm"?

Pietro Albini (Mar 19 2019 at 20:40, on Zulip):

yep, but I'm slightly worried about people getting automatic membership of the org, mostly for the "member" label near their name

nikomatsakis (Mar 19 2019 at 20:40, on Zulip):

hmm

Pietro Albini (Mar 19 2019 at 20:40, on Zulip):

nothing security wise, but what they say on issues could be mistaken as an official response

nikomatsakis (Mar 19 2019 at 20:40, on Zulip):

I hadn't considered that angle

nikomatsakis (Mar 19 2019 at 20:40, on Zulip):

yes, that's a reasonably good point

nikomatsakis (Mar 19 2019 at 20:41, on Zulip):

Still, assigning issues is so useful. Hmm. I mean, maybe it would be ok if we did something like

nikomatsakis (Mar 19 2019 at 20:41, on Zulip):

assign to a bot

Pietro Albini (Mar 19 2019 at 20:41, on Zulip):

but that could easily be solved by the bot assigning itself and adding an "assigned to pietro" at the top of the main comment

Pietro Albini (Mar 19 2019 at 20:41, on Zulip):

yep :D

nikomatsakis (Mar 19 2019 at 20:41, on Zulip):

and edit the header comment to list who it is assigned to

nikomatsakis (Mar 19 2019 at 20:41, on Zulip):

this would sort of read as "assigned to a one-off contributor"

Pietro Albini (Mar 19 2019 at 20:41, on Zulip):

we're on the same page on this then!

nikomatsakis (Mar 19 2019 at 20:41, on Zulip):

once somebody has been around for a while, they can be added as a "regular"

nikomatsakis (Mar 19 2019 at 20:42, on Zulip):

Yeah, I think I can live with that

nikomatsakis (Mar 19 2019 at 20:42, on Zulip):

Especially given the rate at which people grab issues and then disappear

nikomatsakis (Mar 19 2019 at 20:42, on Zulip):

once somebody has been around for a while, they can be added as a "regular"

then it becomes a kind of status thing, to get your face on the issue :P

Pietro Albini (Mar 19 2019 at 20:43, on Zulip):

so, the main thing we need is assignment support for triagebot, since labelling is already implemented

Pietro Albini (Mar 19 2019 at 20:43, on Zulip):

(the syntax is not that nice atm, but it can be changed easily I think)

nikomatsakis (Mar 19 2019 at 20:43, on Zulip):

OK.

Pietro Albini (Mar 19 2019 at 20:45, on Zulip):

github synchronization of teams would be nice to implement the compiler-contributors thing, but it's not too urgent imo

nikomatsakis (Mar 19 2019 at 20:45, on Zulip):

about nested teams:

Child teams inherit the parent's access permissions, simplifying permissions management for large groups. Members of child teams also receive notifications when the parent team is @mentioned, simplifying communication with multiple groups of people.

Pietro Albini (Mar 19 2019 at 20:46, on Zulip):

hmm, yeah, but I'm still a bit worried about the ping for the compiler team itself

Pietro Albini (Mar 19 2019 at 20:47, on Zulip):

we'd also probably want some tooling to cookiecutter repositories

Pietro Albini (Mar 19 2019 at 20:47, on Zulip):

to mass-change settings, perms and webhooks

davidtwco (Mar 19 2019 at 22:04, on Zulip):

I agree with more or less everything that’s been said.

davidtwco (Mar 19 2019 at 22:06, on Zulip):

There was also the idea of having roles with no permissions for working groups that people can add themselves too so they can get notification pings related to that working group’s work. But I agree that we probably wouldn’t want to be adding people to the org as much as we do.

nikomatsakis (Mar 20 2019 at 19:28, on Zulip):

@Pietro Albini @davidtwco I was thinking that it would be great to produce a summary of the final conclusions from this thread for future reference

nikomatsakis (Mar 20 2019 at 19:29, on Zulip):

There was also the idea of having roles with no permissions for working groups that people can add themselves too so they can get notification pings related to that working group’s work. But I agree that we probably wouldn’t want to be adding people to the org as much as we do.

Yeah, although i'm not sure how important this is really. I do feel like we want some way to reach out to folks, but i'm not 100% convinced it should be pings? It may be that meetings wind up filling this role. Or maybe we can collect e-mails. Or just have a rolling internals threads. Lots of options.

Last update: Nov 11 2019 at 22:50UTC