search

jazzband / django-cookie-consent

Reusable application for managing various cookies and visitors consent for their use in Django project.
https://django-cookie-consent.readthedocs.org/en/latest/
BSD 2-Clause "Simplified" License
218 stars 71 forks source link

Implement Jazzband guidelines for django-cookie-consent #64

Closed jazzband-bot closed 1 year ago

jazzband-bot commented 2 years ago

This issue tracks the implementation of the Jazzband guidelines for the project django-cookie-consent

It was initiated by @bmihelac who was automatically assigned in addition to the Jazzband roadies.

See the TODO list below for the generally required tasks, but feel free to update it in case the project requires it.

Feel free to ping a Jazzband roadie if you have any question.

TODOs

Project details

Description Reusable application for managing various cookies and visitors consent for their use in Django project.
Homepage https://django-cookie-consent.readthedocs.org/en/latest/
Stargazers 92
Open issues 28
Forks 42
Default branch master
Is a fork False
Has Wiki False
Has Pages False
MrCordeiro commented 2 years ago

@bmihelac, I'll work on them this weekend. Can I ask you to be the project lead though? I'm not yet overly familiar with the project.

The main responsibility is to create releases to PyPi (https://jazzband.co/about/releases#security).

To become a project lead you'll have to open a project lead issue.

Also, these issues can only be solved by you:

some1ataplace commented 2 years ago

It also looks like we will need a .pre-commit-config.yaml file since other jazzband libraries use it. In my most recent PR the test failed because I did not have it. Not sure what to put in that file.

MrCordeiro commented 2 years ago

You could add an innocuous config file, like this one: https://github.com/jazzband/wagtailmenus/blob/master/.pre-commit-config.yaml. We can add new hooks in future PRs.

MrCordeiro commented 2 years ago

@

@bmihelac, I'll work on them this weekend. Can I ask you to be the project lead though? I'm not yet overly familiar with the project.

The main responsibility is to create releases to PyPi (https://jazzband.co/about/releases#security).

To become a project lead you'll have to open a project lead issue.

Also, these issues can only be solved by you:

@bmihelac, did you get the chance to read this?

sergei-maertens commented 2 years ago

I can also pick up some of these things if/when I find the time, at the moment it's quite busy at $dayjob though.

sergei-maertens commented 1 year ago

@MrCordeiro - I volunteer to be team lead, I still have to work myself into the codebase itself a bit more and get more hands-on, but I have plenty of (professional) django experience with maintaining libraries as well via https://github.com/maykinmedia.

So far today, via #77 and #76 I've done some highly due maintenace work which also ticks of some Jazzband requirements:

I am not the original author, and as such I don't have access to repository settings or the PyPI project.

Question: I'm used to releasing to PyPI automatically by pushing git tags. The Jazzband release flow uses a staging package index. Is the latter required, or just something that's available? I guess there's a security risk for maintainers that are allowed to push tags to the repository in the former case?

sergei-maertens commented 1 year ago

In the meantime I had contact with Bojan and the jazzband PyPI user now also has maintainer role on the package.

jezdez commented 1 year ago

In the meantime I had contact with Bojan and the jazzband PyPI user now also has maintainer role on the package.

Thanks @sergei-maertens, I've accepted the invitation for the jazzband user account.

jezdez commented 1 year ago

@MrCordeiro - I volunteer to be team lead, I still have to work myself into the codebase itself a bit more and get more hands-on, but I have plenty of (professional) django experience with maintaining libraries as well via https://github.com/maykinmedia.

So far today, via #77 and #76 I've done some highly due maintenace work which also ticks of some Jazzband requirements:

  • added Github Actions CI (running tests, linting the code)

    • Set up test coverage reporting to Codecov
    • Set up build matrix for supported python/django versions
  • Formatted the code with black and isort + added configs

  • Added contributor guidelines

    • Includes some getting started docs and cheatsheet with relevant commands
  • Added code of conduct file referring to the Jazzband CoC

  • Cleaned up docs index page and README

    • Added Jazzband badge
    • Replaced all the old URLs to the jazzband org URLs

Thanks, this is much appreciated!

I am not the original author, and as such I don't have access to repository settings or the PyPI project.

Question: I'm used to releasing to PyPI automatically by pushing git tags. The Jazzband release flow uses a staging package index. Is the latter required, or just something that's available? I guess there's a security risk for maintainers that are allowed to push tags to the repository in the former case?

Yes, it's required to use the release workflow via the staging index so that project leads can review the tags (they'll get an email to confirm the release) to make sure they aren't maliciously created.

sergei-maertens commented 1 year ago

@jezdez I tried the package upload to the private PyPI, as you can see in https://github.com/jazzband/django-cookie-consent/actions/runs/3118124726/jobs/5057207099 it fails with an HTTP 500 which seems very much the same problem as https://github.com/jazzband/help/issues/287

MrCordeiro commented 1 year ago

Bump. @jezdez, @sergei-maertens is the project leader. The release workflow must be completed and this ticket closed.

MrCordeiro commented 1 year ago

@sergei-maertens, as the project leader, you should validate with @bmihelac if the jazzband-bot was added as a maintainer to the Read the Docs project

sergei-maertens commented 1 year ago

@MrCordeiro @jezdez

The goal of transferring this repository was to get sustainable maintenance - this happened after I volunteered to pick up maintenance (and the company I work for gives me freedom to do this). However, we are currently unable to publish new versions to PyPI, which is quite the opposite of what we wanted to achieve.

It is clear from the open issues in the Jazzband organisation and the infrastructure with the test pypi server + associated release flow that JazzBand does not have the necessary capacity for this.

I propose this library gets transferred from jazzband to maykinmedia/django-cookie-consent so that we can properly maintain and advance it.

If this cannot get resolved, I see no other option than to hard-fork.

MrCordeiro commented 1 year ago

@sergei-maertens, I completely understand your frustration. I share the annoyance you feel when you invest your time in a project and then receive no answers from the only person who could give you any insight on what that 500 error means (that is to say, Jazzband's only roadie and single point of failure).

My guess is that the reason is because this checklist still has one open item and the pipeline is meant to fail unless all items are closed. Namely, this item is still open:

Add jazzband-bot as a maintainer to the Read the Docs project

I seriously recommend you close this item before thinking about moving the package. As it stands the guidelines were not fulfilled, so it's unfair to blame Jazzband at this point.

As for the move itself, I'm assuming Maykinmedia is your employer? I don't like this, because of what I've seen happen with the wagtailmenus package: it was created by a company - but then that company moved away from Django. Soon after, the author stopped working there and no one cared about the package. I had to jump through some hoops in order to update the package.

I have the same problem as you do: my company also relies on this project.

I understand moving away from Jazzband. But I wouldn't move it to my company or yours. Perhaps it would make more sense to move it to a neutral organization or even for us to maintain the package as individuals. Please reach out if you want to discuss this further.

sergei-maertens commented 1 year ago

Yeah but that is not something I can resolve... I don't have any admin permissions on the RTD project either

On Sun, 7 May 2023, 12:05 Fernando, @.***> wrote:

@sergei-maertens https://github.com/sergei-maertens, I completely understand your frustration. It's frustrating not to get an answer from the only person who could give you any insight on what that 500 error means (that is to say, Jazzband's only roadie and single point of failure).

My guess is that the reason is because this checklist still has one open item and the pipeline is meant to fail unless all items are closed. Namely, this item is still open:

Add jazzband-bot as a maintainer to the Read the Docs https://readthedocs.org/ project

I seriously recommend you close this item before thinking about moving the package.

As for the move itself, I'm assuming Maykinmedia is your employer? I don't like this, because of what I've seen happen with the wagtailmenus package: it was created by a company - but then that company moved away from Django. Soon after, the author stopped working there and no one cared about the package. I had to jump through some hoops in order to update the package.

I have the same problem as you do: my company also relies on this project.

I understand moving away from Jazzband. But I wouldn't move it to my company or yours. Perhaps it would make more sense to move it to a neutral organization or even for us to maintain the package as individuals. Please reach out if you want to discuss this further.

β€” Reply to this email directly, view it on GitHub https://github.com/jazzband/django-cookie-consent/issues/64#issuecomment-1537376419, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABKDJVQCX6PK3IGNGFNFNQDXE5XWRANCNFSM5SU3GZ2Q . You are receiving this because you were mentioned.Message ID: @.***>

sergei-maertens commented 1 year ago

As for the company approach - we are a python/django shop and it's extremely unlikely we'll stop using django. Please do check our Github and you'll see that almost every repository is django related.

We breathe open source and it's part of our mission to get commercial and public institutions to use open source. Many of my colleagues are capable of taking over if I would no longer be directly involved.

On Sun, 7 May 2023, 12:05 Fernando, @.***> wrote:

@sergei-maertens https://github.com/sergei-maertens, I completely understand your frustration. It's frustrating not to get an answer from the only person who could give you any insight on what that 500 error means (that is to say, Jazzband's only roadie and single point of failure).

My guess is that the reason is because this checklist still has one open item and the pipeline is meant to fail unless all items are closed. Namely, this item is still open:

Add jazzband-bot as a maintainer to the Read the Docs https://readthedocs.org/ project

I seriously recommend you close this item before thinking about moving the package.

As for the move itself, I'm assuming Maykinmedia is your employer? I don't like this, because of what I've seen happen with the wagtailmenus package: it was created by a company - but then that company moved away from Django. Soon after, the author stopped working there and no one cared about the package. I had to jump through some hoops in order to update the package.

I have the same problem as you do: my company also relies on this project.

I understand moving away from Jazzband. But I wouldn't move it to my company or yours. Perhaps it would make more sense to move it to a neutral organization or even for us to maintain the package as individuals. Please reach out if you want to discuss this further.

β€” Reply to this email directly, view it on GitHub https://github.com/jazzband/django-cookie-consent/issues/64#issuecomment-1537376419, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABKDJVQCX6PK3IGNGFNFNQDXE5XWRANCNFSM5SU3GZ2Q . You are receiving this because you were mentioned.Message ID: @.***>

MrCordeiro commented 1 year ago

Yeah but that is not something I can resolve... I don't have any admin permissions on the RTD project either

So even if you move the project, you will still lack the full admin permissions... πŸ€”

@bmihelac is the original author, so he's the most likely person to fix this. Can you help us, @bmihelac?

For all its flaws, Jazzband does work after we get over the transition hurdle. We should at least complete these guidelines before giving up.

sergei-maertens commented 1 year ago

Moving out of Jazzband should result in obtaining the PyPI permissions again which were given up. The RTD permissions are not required at the moment because so far I can get by with the config file in the repository.

Publishing to PyPI is the important thing here

edit: I don't care how we get there - I hope you are right about the staging server 500 cause and this can get resolved quickly. But I do remain very sceptical about the health of the jazzband organisation if so much relies on a single roadie. Multiple people have offered to help and almost three years later nothing has actually change in that department.

On Sun, 7 May 2023, 14:00 Fernando, @.***> wrote:

Yeah but that is not something I can resolve... I don't have any admin permissions on the RTD project either

So even if you move the project, you will still lack the full admin permissions... πŸ€”

@bmihelac https://github.com/bmihelac is the original author, so he's the most likely person to fix this. Can you help us, @bmihelac https://github.com/bmihelac?

For all its flaws, Jazzband does work after we get over the transition hurdle. We should at least complete these guidelines before giving up.

β€” Reply to this email directly, view it on GitHub https://github.com/jazzband/django-cookie-consent/issues/64#issuecomment-1537422679, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABKDJVUCZIR6ZCMP3HI4U73XE6FENANCNFSM5SU3GZ2Q . You are receiving this because you were mentioned.Message ID: @.***>

sergei-maertens commented 1 year ago

I've sent bmihelac an e-mail to hopefully get this RTD issue resolved in the next few days.

sergei-maertens commented 1 year ago

The jazzband-bot user should have a RTD invite - @jezdez are you the only person who can accept these? Or perhaps @MrCordeiro ?

MrCordeiro commented 1 year ago

Not me, sorry, @sergei-maertens

If the jazzband-bot user was sent an RTD invite, I think we can tick off that item and maybe try publishing again?

Archmonger commented 1 year ago

I do agree that moving it to your company would eventually create new maintainability issues. It's a single point of failure, which is similar to Jazzband's situation.

I would suggest a neutral org with multiple trusted admins, who may or may not be within your company.

jezdez commented 1 year ago

Hey all, just stumbled over this via https://github.com/jazzband/help/issues/337 again. I'm a little worried about jazzband-related comments here, you do know that it's inappropriate to expect responses from volunteers, who are unpaid to work on these projects, right?

Please remember: This isn't a service provider for agencies, even if they are well-known in the Django community. Full disclosure: I've contracted with @maykinmedia in the past (@joeribekker can vouch for me, if needed) and I thought they'd be aware of what it means to use OSS in commercial projects. There are NO guarantees (see the LICENSE file).

@sergei-maertens I know you mean well, I'd like to point out that this is really saddening to me:

But I do remain very sceptical about the health of the jazzband organisation if so much relies on a single roadie. Multiple people have offered to help and almost three years later nothing has actually change in that department.

No mention that these three years were during the pandemic. No mention that in the meantime I've put in considerable work (in my spare time!) to turn Jazzband into a fiscally sponsored project to be able to have a sustainable future. You're right that more roadies would be useful and it's always next on my list when there is enough spare time. I've had some productive discussions about Jazzband with @webknjaz and @hugovk at PyCon US this year, to unblock some of this mess.

But: If you're looking for a professional (read: paid) OSS maintenance service meanwhile, please look elsewhere.

Now for the ticket here:

sergei-maertens commented 1 year ago

@jezdez - I hope this finds you in your mentions, I'll address the points you raise here

I'm a little worried about jazzband-related comments here, you do know that it's inappropriate to expect responses from volunteers, who are unpaid to work on these projects, right?

Considering I'm an unpaid volunteer too (most of my contributions to cookie-consent have been on my own time) and have done plenty of OSS contributions in other projects, I'm fully aware of this. But I don't think that doesn't allow people to be critical of the structures that are in place and openly try to resolve impasses. Personally I feel a bit "lured" into the jazzband organisation and I think we would've gotten multiples releases on PyPI had the project not been transferred, as I was at least able to publish the package for a short time but gave up those rights to meet the jazzband requirements.

Please remember: This isn't a service provider for agencies, even if they are well-known in the Django community. Full disclosure: I've contracted with https://github.com/maykinmedia in the past (@joeribekker can vouch for me, if needed) and I thought they'd be aware of what it means to use OSS in commercial projects. There are NO guarantees (see the LICENSE file).

I can't speak for the entire company or Joeri, but I'm fully aware of that. The larger community behind cookie-consent proposed the transfer and I only stepped in as maintainer to help out with the project as we make use of it ourselves, to contribute back to the community in the spirit of OSS.

No mention that these three years were during the pandemic. No mention that in the meantime I've put in considerable work (in my spare time!) to turn Jazzband into a fiscally sponsored project to be able to have a sustainable future. You're right that more roadies would be useful and it's always next on my list when there is enough spare time. I've had some productive discussions about Jazzband with @webknjaz and @hugovk at PyCon US this year, to unblock some of this mess.

All due respect - but none of that extra context was available to me in any way. I can only react to what I see and experience, and the experience is that this and other projects were transferred to the jazzband organisation and then seemingly left to figure it out for themselves. In my opinion, this reliance on a single person and impact the pandemic had at least two projects is more the reason for me to not have a single point of failure.

But: If you're looking for a professional (read: paid) OSS maintenance service meanwhile, please look elsewhere.

I'm trying to convey that - while we don't do paid OSS maintenance - we do have some capacity but are blocked by bureaucracy in getting things rolling again. I'm not asking you to write code, do reviews or even use your roadie time for releases, I'm only asking for help with the aspects that can't manage myself, like insight into the staging PyPI server errors and the permissions to approve said releases so we can get them out to the real PyPI.

@sergei-maertens without a project lead we won't be able to make release to PyPI.

I've been waiting to get this, as I already volunteered here which you acknowlegded. Further clarification from another person here .

I've had e-mail contact with Bojan and it's clear they don't have time to maintain it, which is why I volunteered.

The jazzband-bot account didn't get an invite for the ReadTheDocs account.

I shall have to contact Bojan again, as the invites expire after two weeks iirc. The last invite was sent three weeks ago

I really don't want to step on anyone's toes, but at this point I'm also frustrated that I'm contacting people around, asking them to do tasks that I can't do myself and am investing both their and my own time and things don't get resolved. I hope you can see where my frustration comes from.

sergei-maertens commented 1 year ago

I do agree that moving it to your company would eventually create new maintainability issues. It's a single point of failure, which is similar to Jazzband's situation.

I would suggest a neutral org with multiple trusted admins, who may or may not be within your company.

I'm 100% on board with this, but let's see if we can resolve it via jazzband now that Jezdez has chimed in!

jezdez commented 1 year ago

@jezdez - I hope this finds you in your mentions, I'll address the points you raise here

I'm a little worried about jazzband-related comments here, you do know that it's inappropriate to expect responses from volunteers, who are unpaid to work on these projects, right?

Considering I'm an unpaid volunteer too (most of my contributions to cookie-consent have been on my own time) and have done plenty of OSS contributions in other projects, I'm fully aware of this. But I don't think that doesn't allow people to be critical of the structures that are in place and openly try to resolve impasses. Personally I feel a bit "lured" into the jazzband organisation and I think we would've gotten multiples releases on PyPI had the project not been transferred, as I was at least able to publish the package for a short time but gave up those rights to meet the jazzband requirements.

That's really good feedback, despite this obviously being not a positive outcome, it does provide me with insights into how you as a volunteer perceive this. Thanks!

FWIW, in case you're wondering, I do prefer it when projects figure out their long-term maintenance problem on their own and DON'T have to be transferred to Jazzband, which is essentially a recruiting and sustainability problem.

When projects reach the end of their first generation of maintenance, many maintainers are struggling hard to suddenly have to worry about these non-technical problems. GitHub's model is to encourage creating project organizations, but that's usually just as tricky as it implies that there is a team to maintain it, so I would warmly recommend to put your ducks in a row before you transfer out.

Please remember: This isn't a service provider for agencies, even if they are well-known in the Django community. Full disclosure: I've contracted with @maykinmedia in the past (@joeribekker can vouch for me, if needed) and I thought they'd be aware of what it means to use OSS in commercial projects. There are NO guarantees (see the LICENSE file).

I can't speak for the entire company or Joeri, but I'm fully aware of that. The larger community behind cookie-consent proposed the transfer and I only stepped in as maintainer to help out with the project as we make use of it ourselves, to contribute back to the community in the spirit of OSS.

My main point is that we have to draw the line between what expectations of paid work on OSS bring (timelines, deliverables, SLAs) and work that is done without pay and in extension (as it is by design with Jazzband) without guarantees.

No mention that these three years were during the pandemic. No mention that in the meantime I've put in considerable work (in my spare time!) to turn Jazzband into a fiscally sponsored project to be able to have a sustainable future. You're right that more roadies would be useful and it's always next on my list when there is enough spare time. I've had some productive discussions about Jazzband with @webknjaz and @hugovk at PyCon US this year, to unblock some of this mess.

All due respect - but none of that extra context was available to me in any way. I can only react to what I see and experience, and the experience is that this and other projects were transferred to the jazzband organisation and then seemingly left to figure it out for themselves. In my opinion, this reliance on a single person and impact the pandemic had at least two projects is more the reason for me to not have a single point of failure.

Sure, I'm simply pointing out reality, and you may choose to make decisions based on it. Or ignore it. Whatever works for you.

But: If you're looking for a professional (read: paid) OSS maintenance service meanwhile, please look elsewhere.

I'm trying to convey that - while we don't do paid OSS maintenance - we do have some capacity but are blocked by bureaucracy in getting things rolling again. I'm not asking you to write code, do reviews or even use your roadie time for releases, I'm only asking for help with the aspects that can't manage myself, like insight into the staging PyPI server errors and the permissions to approve said releases so we can get them out to the real PyPI.

@sergei-maertens without a project lead we won't be able to make release to PyPI.

I've been waiting to get this, as I already volunteered here which you acknowlegded. Further clarification from another person here .

Ah, thanks for the reminder, I had forgotten about that!

I just flipped the bit to make you project lead and added the needed release key to the repo secrets so that the release workflow works.

Please read the release docs, guidelines and security instructions.

I've had e-mail contact with Bojan and it's clear they don't have time to maintain it, which is why I volunteered.

The jazzband-bot account didn't get an invite for the ReadTheDocs account.

I shall have to contact Bojan again, as the invites expire after two weeks iirc. The last invite was sent three weeks ago

I really don't want to step on anyone's toes, but at this point I'm also frustrated that I'm contacting people around, asking them to do tasks that I can't do myself and am investing both their and my own time and things don't get resolved. I hope you can see where my frustration comes from.

I hear you, that sounds frustrating. I just removed the checkbox above related to the RTD integration.

sergei-maertens commented 1 year ago

Thank you - I shall get in touch with Bojan regarding the RTD invite. Is there a better way to contact you than through Github, considering the invites expire? I see some social media handles on your profile, but I really, really don't want to make use of those without prior consent πŸ˜ƒ

jezdez commented 1 year ago

Thank you - I shall get in touch with Bojan regarding the RTD invite. Is there a better way to contact you than through Github, considering the invites expire? I see some social media handles on your profile, but I really, really don't want to make use of those without prior consent πŸ˜ƒ

That's a great question, which we're working slowly on in https://github.com/jazzband/help/issues/22. Please don't hesitate to ping me on Mastodon (preferred) or Twitter (if needed) meanwhile.

bmihelac commented 1 year ago

Hello everyone,

I'm sorry to hear about the difficulties regarding the transfer of this project to Jazzband. Currently, I don't have any resources to devote to django-cookie-consent, but I certainly don't want to be the person slowing things down. So, please inform me if there's anything I can do from my side to facilitate this process. I just checked the Read the Docs settings and noticed that the invitation for the Jazzband Bot had expired - I've revoked it and added it again. @sergei-maertens, if there's a way to transfer the RTD account to you to make things easier, I'll gladly do it.

jezdez commented 1 year ago

I just checked the Read the Docs settings and noticed that the invitation for the Jazzband Bot had expired - I've revoked it and added it again

Thanks @bmihelac, I just accepted that invitation!

jezdez commented 1 year ago

Closing as fixed.