Per-project groups?

[vemv]

Hi there!

Recently I faced a use case which might be somewhat common.

I wanted to collaborate with someone else for a fork of a project. Groups such as com.github.<username> are handy for forks, but inviting someone else would also imply granting that person access to arbitrary projects of mine within that group.

So it might be a good idea to support groups with the following scheme: com.github.<username>.<project-name>.

For example, in a Lein project one would use com.github.<username>.<project-name>/<project-name>. When performing lein deploy for such a project, a com.github.<username>.<project-name> group would be automatically created if it didn't exist already.

What do you think?

It seems to me that this could increase security in our community.

Thanks - V

[tobias]

Hi @vemv! I think it would be totally fine to create project-specific groups like this; it is really no different than supporting subdomain-based groups (org.tcrawley.foo under org.tcrawley). We currently verify subdomains by considering the TXT record on the parent domain. We could do the same for github-based subdomains. There would just need to be a verification repo under <username>/clojars-<clojars-username>, and a verification request for the project-specific group. We would then verify the group and assign the user named in the verification repo as the initial member.

I would prefer to not reintroduce any automatic group creation on deploy.

[vemv]

it is really no different than supporting subdomain-based groups

Indeed. While I happen to have a (verified) domain, not everyone necessarily does.

TIL about subdomain-based groups though! I had read https://github.com/clojars/clojars-web/wiki/Groups earlier today and they're not mentioned there.

There would just need to be a verification repo

This would seem inconvenient enough that people wouldn't use it that much. Couldn't verification be implied (associated to linking one's GH account), just like it appears to be with the existing com.github.<username> scheme?

[tobias]

I had read clojars/clojars-web/wiki/Groups earlier today and they're not mentioned there.

Oops! I'll take a look and get that updated.

Couldn't verification be implied (associated to linking one's GH account), just like it appears to be with the existing com.github. scheme?

That's a fair point, and I agree. Folks should be able to request verification of com.github.<username>.<projectname>, and we would create the verified group with the Clojars account associated with that base group as the first member. I'll add that to the wiki as well.

[tobias]

I updated https://github.com/clojars/clojars-web/wiki/Verified-Group-Names#can-i-verify-a-sub-domain-based-group-of-an-already-verified-group and https://github.com/clojars/clojars-web/wiki/Groups#creatingverifying-sub-domain-groups. Hopefully that is clearer.

Also related to this discussion is https://github.com/clojars/clojars-web/issues/709, which, when implemented, will help with collaboration on a single project under a group.

[vemv]

That's perfect!

Thanks much 🍻