Unsponsored Comaintainers

[Toshio Kuratomi]

Rahul and Jef Spaleta asked me about this recently so I decided to throw 
this out as a conversation starter.  Please comment on this as Luke and 
I need some input from releng or FESCo about whether this is a goal we 
should be aiming for before we can implement it.

= Unsponsored Comaintainers =

Sometimes a contributor wants to get involved with a single Fedora 
package.  This is often the case with upstream maintainers who are 
interested in seeing their software run well on Fedora but either lack 
the time to participate in or are disinterested in Fedora as a whole.

One way to enable this is to have current Fedora Packagers "mentor" the 
upstream maintainers.  The Fedora Packager can be the owner of record 
for the package and make sure that it integrates with the rest of 
Fedora.  The upstream maintainer would take the role of comaintainer for 
the package and help mainly with code-related bugs.

For this sort of work, it would be ideal if the comaintainer could 
commit to the package but not build or push.  The package owner would 
then have the ability to check the changes that the upstream maintainer 
made to verify they followed the Fedora Packaging Guidelines and 
integrated with things going on in the rest of the distro.

At the moment we are constrained by the limitations of the tools we're 
working with (koji, packagedb, cvs repository, and bodhi).  So here's a 
three phase approach to getting to the ideal:

== Phase 1 ==

Upstream maintainer and Fedora Package owner decide to collaborate.  The 
Upstream maintainer signs the CLA.  Someone from a group of sponsors 
willing to work on this as a pilot program sponsors them into cvsextras.

The comaintainer can now request commit acls on the package.  This gives 
them access to commit to cvs, build in koji, and push via bodhi for this 
package.  There is an understanding among the participants that the 
upstream maintainer should not work on packages for which they have not 
been granted commit access.  The sponsor has to watch the commits list 
for changes made by the upstream maintainer that violate this policy.

This requires no changes to our tools but requires:
1) a pool of sponsors willing to work on this
2) commitment from unsponsored comaintainers to follow the rules and 
sponsors who are willing to police those comaintainers to make sure 
they're abiding by them.

== Phase 2 ==

In phase 2, we can remove the pool of sponsors.  Instead we allow people 
without cvsextras to sign up to comaintain a package.  If the primary 
package maintainer approves, the comaintainer is allowed to use any of 
the acls they are approved for.  The package owner would still have to 
watch to make sure the comaintainer is not doing more than they are 
supposed to on that particular package.

This requires changes to the cvs repository so people not in cvsextras 
but explicitly in the acl are allowed to commit.  This could be a bit 
tricky as we currently have two levels of security in the repository: 1) 
People must be in the acl to access resources of the repository, 2) they 
must be in cvsextras.  We'll want something equivalent in the new setup.

== Phase 3 ==

In this stage, we make sure that acls prevent people from doing things 
they are not supposed to, freeing the package owner from some of the 
manual policing they had to do before.  The PackageDB will have acls for 
pushing and building as well as committing.  This will allow package 
owners to specify that a maintainer should only be allowed to commit or 
only allowed to commit and build.

The packagedb will need to allow changing of build and push acls. [easy]
Bodhi will need to operate on the push acls instead of the commit acls. 
[easy]
koji will need to support restricting builds.

-Toshio