[CentOS-devel] The Git forge decision (was CPE Weekly: 2020-03-28)

Mon Mar 30 03:47:45 UTC 2020
Neal Gompa <ngompa13 at gmail.com>

On Sat, Mar 28, 2020 at 4:12 PM Aoife Moloney <amoloney at redhat.com> wrote:
> ### Other Updates
> #### GitForge Decision
> * After evaluating over 300 user stories from multiple stakeholders we
> have aligned on a decision for the Gitforge that CPE will operate for
> the coming years. We are opting for Gitlab for our dist git and
> project hosting and will continue to run pagure.io with community
> assistance.
>     * Check out our GitForge decision on the Fedora Community blog
> https://communityblog.fedoraproject.org/
>     * And at the CentOS blog page
> https://blog.centos.org/2020/03/git-forge-decision/
> * Keep an eye out for mails in the coming months to the devel lists as
> we plan transitions and next steps with GitLab
> * We would like to express our sincere thank you to all who
> contributed requirements to us!

I'm going to start with the delivery of this decision sucked. If I
hadn't been alerted to look for this by other folks due to my advocacy
and community building work around Pagure, I would *not* have known
that the decision had been made. This is in contrast to the *big deal*
that was made about starting this "decision process". I don't know if
there were folks counting on nobody noticing this or not, but this is
not a good way to deliver effectively a major decision like this. I
also absolutely *refuse* to deal with the fact that this thread was
split into three mailing lists. All three are connected to this
thread, and I will take responses from all of them and follow them

Enough about that, let's talk about the actual decision.

So, you're going with GitLab. It's interesting to note that the
particulars about going to GitLab are not even figured out. It is
curious that "SAAS" is mentioned very prominently. That made me a bit
more curious, so I looked at the "final" feature requirements.
Needless to say, I was extremely disappointed.

To put it bluntly, there are *zero* free and open source solutions
that satisfy your needs. From this, I understood why you said GitLab
and SaaS. You want GitLab Ultimate, the proprietary solution that
includes several extra features on top to satisfy the following
requirements (quoted from your blog post):

> * There is a need for CentOS Stream to integrate with a kernel workflow that is an automated bot driven merging solution (merge trains). This allows for richer CI capabilities and minimizes the need for human interaction
> * Gitlab allows for project planning capability which could make multiple trackers such as Taiga redundant, allowing for the planning and tracking to reside within the repo. It would enrich the current ticket based solution that Pagure has evolved into for some groups

These two requirements *alone* automatically force us to GitLab
Enterprise Ultimate Edition, as there is no other solution available
that satisfies those requirements in one product. Merge trains *is* a
feature of Pagure when combined with Zuul, but GitLab's project
planning features do not exist in *any* FOSS product, including GitLab
CE (or GitLab Core as they call it now).

There are mentions of other work that CPE team wants to do to better
improve Fedora. Okay, sure. I even agree with some of them. And the
time bomb that is FAS is definitely worth the attention (note that I
am somewhat involved in the development of the Fedora AAA solution and
am also working on trying to develop a community around it so it
doesn't implode like virtually every other project under the Fedora
umbrella, more on *that* a bit later).

However, nobody has given me or anyone else in the Pagure community
(which yes, is more than Pierre-Yves, thank you very much!) any
concrete details of deficiencies they'd see that is not satisfiable by
the community within a year before now. I've spent a little over a day
analyzing the user stories and thinking about the gaps between Pagure
and what the community wants, and I want to give some perspective here
for some of these. I'm happy to accept refutations and other details
to further enhance the color of these stories, of course.

> 5
> As a RH Developer
> I need the ability to privately comment on a PR
> so that confidential information does not leak outside Red Hat

Ignoring the mountainous levels of terrible problems that such a
feature causes us *now* in the Red Hat Bugzilla, Pierre-Yves and I
were literally discussing this with a Mageian who was interested in
this feature for Pagure weeks ago. We had identified the feature as
not difficult to implement but also simultaneously nobody really
*wanted it now*. It surprises me that this is something that should be
considered an important feature to preserve. It's actually a very
*rare* feature, and does not exist in any forge today, presumably
because it's actually a horrifically bad idea and antithetical to open
development. GitLab itself lacks this feature, in all variants.

> 16
> As a general user
> I want to be able to create a bot/service account
> That integrates with the gitforge in the same way as a human does

This is a nice ask, but it's not a reasonably easy one to implement
with our current system. This is a problem I've struggled with at
$DAYJOB with GitLab as well, and frankly, if you have account
integration with a single-sign-on system (which virtually all
large-scale Git forge instances do), you can't really easily have this
without causing major problems. Not the least of which is how you
resolve account namespace collisions. There are also problems with
maintaining and auditing, too. But it's certainly something I'd like
to see in any forge (note that none implement this today either).

> 29
> As a General User
> I want to access repos fully over https
> For environments where SSH is blocked

I would be really curious if the Red Hat Infrastructure Security guys
have changed their opinion on this after four years of blocking the
development of this feature in Pagure. The two major reasons we don't
have this in Pagure are:

* There is a very strong push to not provide a way to bypass the SSO
(ignoring the fact that SSH keys are effectively a bypass, but most
security people are two-faced about this anyway)
* There is a very strong push to not provide LDAP integration so that
the required HTTP(S) Git proxy server would not be able to be

Note that for GitLab, unless you configure it to have access to LDAP
or set up personal access tokens, you cannot use HTTP(S) push at all.
Once again, this totally bypasses SSO. If the same rules that applied
to Pagure apply to GitLab, nobody is getting this feature anytime soon
with GitLab. If the attitude toward this feature has finally changed,
I'd love to know.

Also, for those who don't know, Fedora's Dist-Git supports HTTPS push,
and has for almost a year:

This is done by *forcing* an SSO flow for *fedpkg* itself and
leveraging it as a credential and auth point. Unfortunately, this is
not a general purpose feature because there's not an easy way to do
that, so it's unavailable on pagure.io at this time. This mechanism
for HTTP push is *not* possible with GitLab, and would be quite
difficult to implement due to the crazy architecture internally. But
if more *normal* HTTPS is acceptable (like through auth tokens or LDAP
auth), then this is something that could be relatively quickly added
to Pagure (there was some old code that never got merged two years
ago, I still have it archived somewhere...).

> 31
> As a General User
> I can request access rights to a repository
> So that I can contribute in a low friction manner

I honestly don't know entirely what this means. Are we talking about
having partial commit access (commit access to only some branches)? If
so, there's a PR out for implementing this in Pagure under review:

> 34
> As a General User
> I want a mobile native app
> To allow me contribute while away from my desk

I don't have words for this... You folks know that only GitHub.com has
an official mobile app, right? And the experience is not great...

> 42
> As a General User
> want a GUI to interface with the system as well as a CLI
> so new users have an easier way to interface with it

I'd like to point out that most popular GUIs for Git stuff are not
forge specific and do not even do much for forge integration. But

> 44
> As a General User
> I want a temporary file (gist)
> So that I can share code easily

There seems to be a misunderstanding here... Gists are not temporary.
They're lightweight *permanent* Git repos (in GitHub). GitLab stores
them (called Snippets) as permanent things in the database (not a Git
repo). Are you trying to conflate pastebin use-cases here? That's
probably a very bad idea...

> 46
> As a General User
> I want to be notified of CVEs in my code
> so that I can stay on top of critical vulnerabilities

There are *zero* FOSS solutions for this in the forge space. This
feature does *not* exist below GitLab Ultimate (the former Gemnasium
service was integrated into it).

> 47
> As a General User
> I want integrated keyword support
> to allow me automate a lot of my actions such as a rebuild / retest

This is not a forge feature, this is a CI service feature. And note,
GitLab CI does not support this.

> 49
> As a General User
> I want to gain analytics and insights from my code
> so that I can have historic context to make decisions moving forward

GitLab Enterprise features...

> 51
> As a General User
> I would like to track my work in an Agile manner
> allowing me centralise all my planning in my forge and gain insights into how I am working.

GitLab Enterprise features, as mentioned earlier.

> 56
> As a General User
> I want registry integration
> so that I can store dependencies

No, you don't. You *really* don't want this. Are you *sure* you know
what you're asking for? You're suggesting three things here:

* OSS solutions for this (including Fedora's own package/container
infrastructure and hosted quay.io) are not good enough
* You are ready to have even more arbitrary data stored in the Git
system that may not follow our legal compliance
* You are willing to pay the cost of having even more data stored

> 57
> As a General User
> I want the ability to have a private branch
> So that I do not need to leave the code tree I am already in

Just so everyone is *crystal clear*: you literally cannot do this. Git
does not have a concept of private branches or private refs within a
repository. You can have private forks, of course. And Pagure supports
those just fine, just like GitLab and GitHub do.

(also note, we *intentionally* do not have private repos turned on...
if we want this, we could just flip a switch...)

> 62
> As a General User
> I want automerges when specific acceptance criteria are met
> So that I do not need manual intervention

So... Mergify then? This is not *currently* a GitLab feature, and
Mergify does not support GitLab, last I checked. Only GitHub.com. It's
been on my bucket for a while to look at extending Mergify to support
Pagure for this, as it's a really nice feature...

I want to take a moment to reflect on something that has been on my
mind for a while now: Fedora has not done a good job being an umbrella
organization. As an organization, we have done a huge disservice to
all Fedora-affiliated projects by not allocating any community
development effort or marketing effort. I know that Matthew Miller
feels Fedora should evolve to being an operating systems factory[1]
and to some extent that isn't a bad thought. But the Fedora Project
was always intended to be more than just the Fedora Linux
distribution. It has always been intended to be a home for Free and
Open Source innovation. In a Hacker News thread last year[2], I had
reflected on how proud I have been to be part of Fedora because we, as
a community, weren't willing to just give up like so many others do.
When FOSS solutions were inadequate, we built better ones. We've
invented things that didn't exist before, and jump-started
conversations about concepts that people didn't think of before. But
there has been a bit of a dark side to this for Fedora. We've rarely
given our projects an opportunity to grow beyond us. Off the top of my
head, the *only* project that technically *started* in Fedora and
became successful was Ansible. And if I'm being totally brutally
honest, it was only successful because the engineers who were
passionate about it had to quit Red Hat and create AnsibleWorks to
push it to success. It was successful *despite* Fedora. Maybe soon
we'll be able to add HyperKitty and Postorius to that, as I've been
seeing deployments of that come online over the past few months. It's
taken a while, but HyperKitty is finally taking off. There was one
person I talked to who told me that HyperKitty made mailing lists
enjoyable and she didn't know the project came from Fedora originally.
Again, seeing success despite Fedora.

When I talk to folks in other communities and show them some of the
infrastructure projects we've developed as part of trying to build
communities around them, I've literally had people tell me that they
wish they had known we made them before, because it solved all their
problems they were struggling with. That's both amazingly uplifting
and terribly depressing at the same time. I'm not even putting in a
lot of effort and we get so much more out of it. It didn't take a lot
for me to get openSUSE interested in our new AAA solution and
contributing. That tells me that we're just not trying. And really,
that's obvious. Even a simple comparison of the Fedora and openSUSE
project landing pages show that Fedora gives zero attention to the
projects that exist under its umbrella. When you look at the openSUSE
landing page, the distribution and major software projects under the
umbrella are all broadcasted there. It makes it so much easier to
discover and generate interest. I'm not saying I love every aspect of
the openSUSE marketing. Far from it! But this is one thing they do
right that we do terribly wrong. And then we sit back and wonder why
our projects fail to generate interest beyond a few folks in Fedora
itself. It's a self-fulfilling prophecy. This is something we need to
fix for *all* our projects: present and future.

In the end, I think the biggest disappointment of this process is that
it feels like it demonstrates that Fedora leadership and management is
not as committed to its mission and vision[3] as I hoped it was. I
realize that I should not be surprised by this. Most of the leadership
and management are no longer the idealistic people they were when they
first became involved. And it's even harder to be idealistic when it's
so easy to give in when you work for "open source company" that
increasingly uses proprietary software to manage its workflow (to be
fair, I think at this point virtually all major companies do this,
which more or less demonstrates the amoral nature of these entities).
Maybe I'm just an old remnant of a bygone era, but I personally remain
somewhat idealistic, even as I have progressed over the years. I also
remain hopeful that other members of the community are of similar
mind. And perhaps this is a bit of a fool's hope, but I hope the CPE
team reconsiders their decision, or at least would be willing to
provide more context on the gaps they felt pushed them over so they
could be prioritized for Pagure development (and maybe we can develop
them fast enough so that we don't have to switch...).

I think this is also an important indicator that Open Source has *not*
won and it is *not* the default. People who keep saying otherwise need
to seriously look hard at the landscape and realize that we have a
long way to go before Open Source becomes the true default. It
behooves us to become cognizant of this and push for freedom whenever
and wherever we can.

As for me? Well, I will do my best to try to help develop the Pagure
community. I'm still committed to assisting the Free Software
Foundation and other communities with using and contributing to
Pagure. I hope others within the community will consider helping too.
Pagure provides unique features that do not exist in any other forge,
in large part because it is driven by an ideal that open data and
freedom should be core tenants of software project management. And
hey, I hear whispers of new Pagure instances being set up all the
time! We're doing something right here, and it'd be a shame to
squander it.

Heh, the irony is that I started using and contributing to Pagure
*because* I was burned by GitLab...

[1]: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/ZBU4MYRMMAE2Z7DL4NPPECTMX2FBQAVL/
[2]: https://news.ycombinator.com/item?id=19356307
[3]: https://docs.fedoraproject.org/en-US/project/

真実はいつも一つ!/ Always, there's only one truth!