[NuGet.org Bug]: remove package owner from prefix-reserved package?

[nblumhardt]

Impact

I'm unable to use NuGet.org

Describe the bug

Hi folks!

The serilog GitHub org owns a number of packages under the Serilog.* prefix, and we have a non-exclusive namespace reservation for it.

We're now moving some of those packages out of the Serilog organization, and would like to transfer publishing rights to their new owners.

Currently, it seems like the gallery UI is blocking us from doing that (the "Remove" link next to our organization name on the package owners management page is greyed out).

How can we proceed? Thanks!

Repro Steps

Attempt to remove the serilog organization from ownership of Serilog.Sinks.ElmahIo.

Expected Behavior

Should remove us as an org owner.

Screenshots

Additional Context and logs

CC @ThomasArdal

[ThomasArdal]

And a quick comment from the other owner of this. I see the same issue when signing in from my organization where I can remove my own organization but not the first one:

[ThomasArdal]

@nblumhardt I found the cause of the link being disabled in the markup:

You cannot remove serilog as owner of Serilog.Sinks.ElmahIo because they are the only owner or they own the only reserved namespace

As an admin in the serilog organization on NuGet you might be able to contact account@nuget.org and delegate Serilog.Sinks.ElmahIo as a prefix subset as described here: https://docs.microsoft.com/en-us/nuget/nuget-org/id-prefix-reservation#advanced-prefix-reservation-scenarios. I'm not sure if the full package name applies for a prefix subset.

[loic-sharma]

@jcjiang Would you be able to look into this? :)

[jcjiang]

Hey there, happy to help! I've temporarily removed 'Serilog' as an owner of the 'Serilog' prefix, which should allow you to make the changes. Let me know once you want me to reinstate the reservation.

[ThomasArdal]

@jcjiang Thank you. I have removed the Serilog org from that package now. I'm curious to hear if we from the elmah.io organization can continue to publish updates to the package since the Serilog.Sinks prefix is assigned the serilog org.

[nblumhardt]

Thanks for the help, all!

Unfortunately, we have about 20 of these expected in the next few months 😅 ....... Since (AFAIK) we don't reserve the prefix exclusively, is there any way this restriction can simply be relaxed so that removing serilog as an owner will just remove the blue tick?

Otherwise - wondering if there's another way we could coordinate this? Thanks again!

[jcjiang]

I went ahead and removed the restriction for the prefix, so removing serilog as an owner will just remove the blue tick. There is no further action needed here - serilog is currently the owner of the shared namespace and will get the blue tick, all other users can publish to the namespace but won't get the tick.

Take a look and let me know if I can do anything else to help!

[nblumhardt]

Sounds great - thank you @jcjiang 👍

[augustoproiete]

Hi @jcjiang, I've just tried to remove serilog as owner of the package Serilog.Sinks.Elasticsearch and the "Remove" action is disabled.

Our goal is to transfer a number of Serilog.* packages out of the serilog owner to other owners.

[nblumhardt]

Hi @jcjiang - I'm doing the same now for Serilog.Sinks.Seq and still being blocked:

[nblumhardt]

Hi all 👋

We'd really like to avoid having the serilog account "own" packages that we're no longer responsible for the development/maintenance of, so proposing a way forward that doesn't require code changes on the NuGet side below 🙂 :

The approach would be:

1. (Serilog Team) Create a new NuGet.org organization to temporarily "own" packages we're moving out of serilog
2. (Serilog Team) Add the temporary organization as an owner of all of the packages in question
3. (NuGet Team) Temporarily remove the Serilog namespace reservation
4. (Serilog Team) Remove serilog as an owner of the packages in question
5. (NuGet Team) Reinstate the namespace reservation (we could arrange a date/time in advance, or coordinate via this thread)

I can do the work on the Serilog side. How does this sound?

[nblumhardt]

Hi folks, any chance we can move forward on this plan?

[joelverhagen]

Hey @nblumhardt, apologies on the slow responses here. I've been out on leave and we've had some responsibility changes regarding prefix reservation. I'm reading through this thread to get up to speed and will evaluate your clever approach.

[joelverhagen]

@nblumhardt, could you help me understand what the value of the new, temporary organization is in your suggestion? Would this essentially give you access to Serilog packages longer than the lifetime of the "serilog" ownership? Apologies if I am missing something.

Another approach you could consider is providing my team with the list of package IDs that need "serilog" removed (this can be done here if you are comfortable with it). As site admins, we can side-step the restriction you're facing above. Full disclosure, there is a bug I just found on our INT environment (https://github.com/NuGet/NuGetGallery/issues/8941) which means the blue checkmark will remain even after "serilog" is removed but this can be remedied by re-reserving the namespace. Hopefully the number of packages is not too many for manually going through.

Which approach do you prefer? Both seem fine, but the second one seems like a bit less work for you 👍.

[nblumhardt]

Hi @joelverhagen! Thanks for picking this back up. The value of the temporary organization is just that we don't yet know who the eventual owner should be for each package, though we do know which ones are moving out.

I think your suggestion - providing your team with a list of package ids - is good, and should be compatible with this. I'll get the list assembled. What's the best way to get it to you?

[joelverhagen]

Putting the list here is fine, if you're okay with sharing it publicly. Otherwise, you can send it to support@nuget.org, mentioning this issue as well.

[joelverhagen]

Hey @nblumhardt, I haven't been able to find any package ID list from you for this operation. Is it possible we missed an email? If you're still working on building the list, no worries. I just wanted to make sure you weren't blocked on us.

[nblumhardt]

Thanks for checking in, @joelverhagen! Sorry about the long delay - all at my end, unfortunately. I'll aim to loop back ASAP 😅

[nblumhardt]

@joelverhagen we're making some progress; so far only four that I can confirm are ready to have serilog removed from their package owners:

Package	New Owner
serilog.formatting.elasticsearch	serilog-contrib
serilog.sinks.elasticsearch	serilog-contrib
serilog.sinks.exceptionless	exceptionless
serilog.sinks.seq	datalust

In each case, the "New Owner" should already be listed as an owner of the package.

It may be worth doing these ones now, to check that all goes to plan? I'll be able to follow up with another list with the remaining packages before the end of March.

Thanks for all the help! 👍

[joelverhagen]

@nblumhardt, I have removed the serilog owner from these 4 packages and reset the namespace reservations. I had to deallocate Serilog* and Serilog.Exceptions* and then reallocate them again with the exact same settings to properly remove the blue checkmark on these 4 packages, due to https://github.com/NuGet/NuGetGallery/issues/8941. Please let me know if everything looks good to you.

[nblumhardt]

Sorry @joelverhagen, I mistakenly thought I had replied to your last comment (I may have done through another channel? Apologies if not!).

I've run through the final projects and I believe the last ones needing removal of the serilog owner are:

Package	New Owner
serilog.sinks.applicationinsights	serilog-contrib
serilog.sinks.azureeventhub	serilog-contrib
serilog.sinks.azuretablestorage	serilog-contrib
serilog.sinks.mongodb	jaben
serilog.sinks.mssqlserver	serilog-mssql
serilog.sinks.ravendb	ravendb
serilog.sinks.raygun	mindscapehq (temporarily nblumhardt*)
serilog.sinks.splunk	serilog-contrib
serilog.sinks.splunk.tcp	serilog-contrib
serilog.sinks.splunk.udp	serilog-contrib

* this one is being transferred to the org behind Raygun, but still waiting on package ownership acceptance; I've added my own account to stand in in the meantime so that we can finalize this ticket.

Thanks again for all of your help with this 🙏 - if you need any additional info, please just let me know.

[nblumhardt]

(Edited; sorry!)

[joelverhagen]

Sorry @joelverhagen Joel Verhagen FTE, I mistakenly thought I had replied to your last comment (I may have done through another channel? Apologies if not!).

No worries, there are certainly an overwhelming number of channels these days 😃. I try to stay on top of Twitter and GitHub notifications but if you messaged me some other way, it's quite possible I missed it.

Thanks again for all of your help with this 🙏 - if you need any additional info, please just let me know.

It's done. Please let us know if you need assistance with anything else!

[nblumhardt]

there are certainly an overwhelming number of channels these days

Tell me about it! 😅

Thanks for sticking with this one, @joelverhagen - I really appreciate the help! I think that should be just about it, from me.

[joelverhagen]

I will lease this issue open to track the feature gap: package owners can't remove co-owners when it would change the prefix reservation status. Depending on the severity of the problem, we can consider a fix in the future.