On 2022-06-24 20:01:09 +0200 (+0200), Artem Goncharov wrote: [...]
- can we have official OpenStack projects outside opendev? [yes/no] - can we have non-official OpenStack projects (lets call them affiliated) not hosted on opendev under *some* OpenStack governance? [yes/no] - can we have OpenStack manage *git* organisation (i.e. GitHub organisation) as well as artifacts publishing for those outside of opendev as some form of limited governance? This may or may not include some more regulations regarding PTI, code-review, etc. Purpose is to improve marketing side of the delivery and be able to revive it once current maintainers depart [yes/no]
Those are up to the TC members to decide, so I'll leave that to them.
- can we provide Zuul gating for those official or affiliated projects outside of opendev (with strict regulations what and how)? [yes/no]
If that's a question for the OpenDev sysadmins, we've got a pretty firm collective "no" on it at this point based on prior discussions. We're happy for projects to set up advisory testing for dependencies hosted on GitHub (think "third-party CI" type feedback on those projects' pull requests) and do things like provide builds of ARM/AArch64 wheels for pyca/cryptography in order to make OpenStack's ARM-based jobs much faster, but configuring our Zuul deployment to provide gating services for projects hosted outside the Gerrit we operate isn't happening in my opinion.
- can we _think_ on allowing people use alternative public auth providers (i.e. GitHub, ...) accounts with OpenStack to lower the entry barrier? [yes/no] [...]
That's one of the goals for https://docs.opendev.org/opendev/infra-specs/latest/specs/central-auth.html so if you have time or know someone who has time to help make further progress on it, please let us know. We have a Keycloak PoC already up so we can demo authenticating Zuul admin API calls (at https://keycloak.opendev.org/ currently), but the larger effort is migration planning and integrating the existing Launchpad OpenID as a source so we can let existing users continue to authenticate, at least temporarily. -- Jeremy Stanley