[Standards] Evaluating gitlab.com as new location for XEP Editor repositories (xeps+registar)

Waqas Hussain waqas20 at gmail.com
Sun Jun 21 14:34:01 UTC 2020


On Tue, Jun 16, 2020 at 1:13 PM Jonas Schäfer <jonas at wielicki.name> wrote:

> > Alternatively, if we do still want to use Docker, why not just use
> > whatever GitHub's CI is or one of the many CI solutions that can work
> > with GitHub without setting up lots of new infrastructure, repos,
> > syncing, etc? (ie. Travis, Circle CI, Drone, etc. there are tons of them
> > and many of them are free but also designed to work with GitHub)
>
> Due to the messed up permission model of GitHub, all of them (I can’t test
> travis because I signed up with them a long time ago, Circle CI does,
> GitLab
> CI for GitHub does, Docker Hub does for newly added repositories; Drone
> seems
> to require infrastructure we don’t have or want to maintain on the iteam
> side)
> seem to require full write access to all repositories whichever account is
> used to set them up has access to or will ever have access to, public and
> private.
>
>
I'd second what Sam suggested elsewhere in the thread. If the main issue is
Github's permission model (due to us using personal human accounts for
doing CI auth), we should use Github's recommended alternatives: machine
users is what they've recommended prior to Github Actions.

See
https://developer.github.com/v3/guides/managing-deploy-keys/#machine-users

With my security hat on, using human accounts for CI is an anti-pattern.
You /want/ a machine CI user, even if human accounts would work perfectly.
This helps fully compartmentalize CI, limits blast radius when incidents
happen, is easier when humans eventually leave the org.

If Github Actions work for our use-cases, that might be ideal though. It's
more managed, which I'd expect to translate to less burden on iteam, and
allow easier contribution by folks not on iteam.

I'm on the side of keeping issues and PRs on Github, that's where the users
are. Asking every contributor to create a Gitlab account seems unfortunate,
when practically every contributor already has a Github account.

I do appreciate the idea of supporting account-less contributions (that
Zash called out), and the historical channel for that has been the mailing
list. So that seems covered in any case.

Thanks,
Waqas
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.jabber.org/pipermail/standards/attachments/20200621/2aba76d9/attachment.html>


More information about the Standards mailing list