Proposal: New github team for external rubygem maintainance


today I wanted to do another patch to safemode rubygem only to find out that there were 5 PRs awaiting review from me (closed one) and one from @aruzicka. It happens, projects are abandoned or people don’t have time. Rather than forking, we always try to help with maintenance. In the past, we have done this for (out of my head):

With safemode, what happened is that we had two members with push access I think (Ohad and Dmitri) but both left and we are left with nobody being able to push the project forward. Therefore to avoid this, I propose forming a new github team that would have permissions for the repositories mentioned above as well as future repositories which we start taking care of.

Opinions? If you like the idea and the team is formed, drop a line below if you want to apply for membership. Make sure you have 2FA both on github and rubygems, this is a hard requirement.


1 Like

I was made aware that github teams only work within our organization theforeman so they cannot be used in fog or somewhere else.

For this reason, I am changing my proposal to create a fallback github account similarly what we do with - a shared account that could be used to reassign permissions if needed (e.g. people leave a team).

Or maybe there is some kind of a github feature that I am not aware about.

I’d say that gems that we maintain should have an automated relese process by GH actions and thus credentials to some releasing account on rubygems.

@ekohl do we already have such account on rubygems? I remember you talking about it, but not sure where we are at.

Indeed, you can’t cross organization boundaries with teams AFAIK.

I think it’ll always be up to the maintainer of a project if they want to accept something like that. For example, fog may give you just commit access on a repository, not an admin. They may also not trust you enough to add random people. I think this is not a realistic goal.

If it’s important, we should offer to transfer the repository over to our organization and become the maintainers. We’ve done this in the past and it’s the easiest solution. If the gem is already maintained in an organization, it’ll be up to individuals to maintain that relationship.

For example, I’m involved in Vox Pupuli because our installer depends on some of their modules and a lot of their gems. For this I became involved within the community until I was trusted enough to get admin permissions. That is the open source model.

I also have commit access in various Puppetlabs repositories. For this I went through the Puppet Trusted Developer program where I showed I had sufficient qualifications.

To me these things are natural. In the recent months/years we’ve seen a number of supply chain attacks. These processes are in place to minimize the chance for those. I would not accept a random person who has never contributed before.

We’ve had theforeman for a long time. There are a few people with access to that account so we can use it to publish gems even if individuals left.

I’m quite close to finishing that for Puppet. In gha-puppet I have tested a release workflow which includes secret handling. Within Vox Pupuli there are also various automated gem release workflows (such as the one in voxpupuli-test). What remains is to essentially combine all of those and wire it all up. Not hard and all the research has been done, but a bunch of work I haven’t found time for.

Of course, that’s be same for allowing a trusted community or an individual. We do have our own strict rules and processes. It is an option to have.

Automation of releasing is indeed a great thing to have, but it does not solve our problem: when people are leaving we can loose push permissions to key libraries. That’s what I am trying to solve.

Anyways, for the safemode case we were given push permissions which is great. However, it looks like our rubygems account no longer exist. Have we changed the email from (which would be very wise) to our own domain?

[lzap@nuc ~]$ gem owner foreman_host_reports -a
You have enabled multi-factor authentication. Please enter OTP code.
Code:   xxxxxxx
Adding Owner could not be found.

I would also appreciate if we could change rubygems user icon to helmet, the generic one is ugly I very often check if our gems do have the account when I land on a page. Thanks!

We have indeed. However, historically we’ve never shared it explicitly to avoid spam. It has been posted on IRC, but not in any guides and it’s also not publicly visible on Rubygems for that reason.

That was indeed an unexpected side effect of changing the email address. Rubygems uses gravatar so that’s why it changed. This is now fixed, thanks for reporting.