search

fortran-lang / registry

Registry for Fortran package manager
MIT License
8 stars 3 forks source link

Design Considerations for maintainers of packages & namespaces. #17

Open arteevraina opened 1 year ago

arteevraina commented 1 year ago

In the project, there have been discussions on namespace maintainers & package maintainers. Let's say if we have multiple packages under a namespace and if the admin adds a new maintainer to the namespace then the newly added maintainer will have access to all the packages that are listed under that namespace.

But, on the other hand, if we only have maintainers of the package. So, this security issue won't be there as that newly added maintainer will have access to that only package under that namespace and other packages will be not accessible to the maintainer.

On the other hand, we can allow user to add maintainers to the packages as well as to the namespaces. The logic will be similar, only the entity package will be changed with the namespace.

So, if an admin adds a user as a maintainer to the namespace, the user will be now the maintainer of all the packages under that namespace and if admin adds a user as a maintainer to the package, the user will be the maintainer of the package only.

Also, we can allow to remove maintainers from the packages easily. For removing maintainers from the namespaces, we can have multiple solutions. So, if a user wants to remove a maintainer from namespace, the maintainer can be directly removed from all the packages under that namespace or they can ask the backend to keep the user as the maintainer of the packages and only remove the maintainer from the namespace.

It would be really helpful if can gather a wider community feedback to better implement this feature. @fortran-lang/fpm @minhqdao @perazz @henilp105

minhqdao commented 1 year ago

What is the actual question? 😅

So it seems like you want to have:

I guess that sounds sensible to me.

arteevraina commented 1 year ago

What is the actual question? sweat_smile

So it seems like you want to have:

* Namespace maintainers

* Package maintainers

* Namespace maintainers automatically being a package maintainer for all the packages within the namespace

* Optional removal of all package maintenance rights within the namespace when the namespace maintenance rights are being removed for a user

* A warning if the user still has namespace maintenance rights when package maintenance rights are being removed

I guess that sounds sensible to me.

Yes, @minhqdao. I am actually considering whether to have the maintainers in a namespace or not for the MVP. It also depends on the organizations that will be planning to use our registry and if the need arises maintainers of the namespace feature can be integrated as well.

minhqdao commented 1 year ago

I don't think it's the most important thing for the MVP but being able to add namespace maintainers is a useful feature, I'd say. You won't have to add them to every individual package.

perazz commented 1 year ago

I like the way this feature is designed, I'm no expert in this but I would think that organizations use a namespace to oversee all their packages, so I agree that the users that are designated as namespace maintainers should be able to operate on all the packages in the namespace.

So, if a user wants to remove a maintainer from namespace, the maintainer can be directly removed from all the packages under that namespace or they can ask the backend to keep the user as the maintainer of the packages and only remove the maintainer from the namespace.

Yes, I also agree that when removing maintainer rights, namespace maintainers should probably be able to have both options, for example:

Makes sense?

minhqdao commented 1 year ago

Think we're all on the same page here.

henilp105 commented 1 year ago

@arteevraina it seems to be the most apt solution for the MVP.