Skip to content

Provide more clarity for adding gem owners

Jeremy Jackson requested to merge jejacks0n-add-gem-owner-information into master

Why is this change being made?

I think we should better clarify, and resolve the issue of gitlab gem ownership and security concerns.

We currently have two gitlab level gem owners. gitlab-qa and gitlab_rubygems, and some gems are under one profile and some are under the other profile. It feels a bit messy, and not very secure to me at the moment.

When setting up and publishing the gitlab-experiment gem, I was unable to get a response when adding gitlab_rubygems as an owner, and wasn't really able to track down the person who has access to the email associated with that rubygems profile. So I eventually got the gitlab-qa profile to accept my owner invitation after two tries and a conversation in slack.

Let's get this streamlined for when others approach this. I feel like we want this to be dialed and secure -- so there's not typoing of owners, or if owner creds/tokens are compromised we can easily revoke those tokens and reissue them. We probably want a small number of owners, potentially even only the gitlab-* (qa or rubygems) one, with only a select few who have those login credentials and invitation emails forwarded to them.

This is starting to get that conversation started.

Author Checklist

  • Provided a concise title for the MR
  • Added a description to this MR explaining the reasons for the proposed change, per say-why-not-just-what
    • Copy/paste the Slack conversation to document it for later, or upload screenshots. Verify that no confidential data is added.
  • Assign reviewers for this change to the correct DRI(s)
    • If the DRI for the page/s being updated isn’t immediately clear, then assign it to one of the people listed in the "Maintained by" section in on the page being edited.
    • If your manager does not have merge rights, please ask someone to merge it AFTER it has been approved by your manager in #mr-buddies.
  • If the changes affect team members, or warrant an announcement in another way, please consider posting an update in #whats-happening-at-gitlab linking to this MR.
    • If this is a change that directly impacts the majority of global team members, it should be a candidate for #company-fyi. Please work with internal communications and check the handbook for examples.
Edited by Phil Calder

Merge request reports