[all][foundation][ecosystem] External projects under the foundation hat

Artem Goncharov artem.goncharov at gmail.com
Wed Jun 22 08:12:16 UTC 2022

Thanks Clark and Jeremy for comments

> On 21. Jun 2022, at 17:34, Clark Boylan <cboylan at sapwetik.org> wrote:
> On Tue, Jun 21, 2022, at 8:03 AM, Artem Goncharov wrote:
>> Hi all,
>> During the summit we had some nice conversations and I wanted to 
>> actually use the chance and try to formalise the discussion to gather 
>> broad opinions and ideally solutions.
>> Sidenotes:>>>>>
>> - I enjoy opendev
>> - I really enjoy gerrit and find it an ultimate code review system
>> - I can understand people not able to cope with additional complexity 
>> and prefer pull request pattern to the change pattern
> I think we should be careful with the assertion that Gerrit is more complex. It is different, but I'm not sure it is more complex. Pushing to Gerrit isn't any more complex than pushing to Github. Github even has the extra step of needing to open a pull request explicitly. But it is different and does require learning a different process.

Ok, accepted. Personally I agree and disagree with your statement, cause I went multiple times through explaining “change” model to both experienced and unexperienced people and is usually painful. In the Outreachy we also have same practice each time and this is for people just harder to understand (I see project on GitHub, why can’t I open PR here like I would do for every other project on GitHub). But that is not relevant here. I will try to avoid statement “more complex” in future communication.

BTW, are we absolutely and unbendable strict on using change methodology vs pull? I mean would there be conceptual disagreement on using PR approach on opendev.org <http://opendev.org/> with purely gitea for those “ecosystem” tools? The process (and UI) feels exactly like GitHub and I guess we could cover lot of concerns. I know we currently do not have Zuul support for gitea API, but I would be willing to contribute to that once this is an option at all. My experience show that when there is huge conceptual barrier it is possible to guide people through by moving them slowly into this direction and showing them advantages while going forward (first move them from GH to opendev keeping PR style, then once people see limitations of PR model show how “change” model addresses those concerns) - doing small steps.

Practically this would mean we need:
 - introduce auth on opendev.org <http://opendev.org/> (integrate with existing accounts?)
 - be ready for the git storage to grow (due to forks)
 - extend infra maintenance tools to cope with projects configuration
 - introduce gitea driver in Zuul

>> - I use PR change pattern for relatively simple projects (and lot of 
>> other huge projects do it this way)
>> - I am not blaming and not going to blame anybody here
>> End sidenotes>>>>>>
>> - Some month ago gophercloud folks came to us and wanted to give source 
>> code under the foundation. Feedback from us was more or less: you 
>> either host on opendev and use gerrit or not at all. Members of gopher 
>> cloud rejected proceeding this way with detailed reasoning. I can fully 
>> understand reasonings and I also observe similar issues with 
>> auto-closed GitHub PRs (for SDK or OSC) and the fact that those changes 
>> in most of the cases never really reach gerrit. Especially in the SDK 
>> area it would have been very useful to get various SDKs under single 
>> team to spread the know how and synchronise their feature sets. Maybe 
>> even use shared credentials to public OpenStack clouds to verify and 
>> publish their coverage.
>> - Some software solutions (especially those based on Golang) were 
>> designed with GitHub in mind and are actually not really working 
>> outside. For example in order to publish provider for HashiCorp 
>> Terraform into their registry your product must be hosted on GitHub 
>> (particularly you must upload build artifacts as release on GH). There 
>> is sadly no other possibility.
> This isn't the only instance we've run into this. The CNCF's Cloud Native landscape (https://landscape.cncf.io/ <https://landscape.cncf.io/>) requires open source projects be hosted on Github (not not proprietary systems....). From my perspective, I think this calls out why it is important for us to continue to push back against these rules. Software is built in a number of places and if we force people to use Github (and other proprietary tools) we move away from part of the mission here.

I agree we need to support making landscape flexible. But I am not 100% sure we should currently (due to general lack of contributions) simply refuse those willing to contribute into OpenStack . Terraform is a very prominent example here as well - you must be on GitHub to publish your artefacts. Don’t we want to have official TF provider following our best practices (therefore this is not an infrastructure only question)?

As mentioned above - if we address concerns of developers by starting supporting also PR model we can have more arguments to strengthen our position.

>> - My company has created HashiCorp secretstore plugin for OpenStack and 
>> we are willing to donate this under the foundation to have proper 
>> ownership of the software (not to have our company name in the hosting 
>> path since it is pretty confusing). From features point of view there 
>> is still place to evolve and it would be cool to get other interested 
>> parties to participate. We would be able to OpenDev without conceptual 
>> issues and are going to request projects for that, but that still has 
>> one issue: publishing of binary artifacts - not immediately available 
>> in opendev (afaik). On GitHub we publish it as GH Release.
> OpenDev supports publishing of binary artifacts through a number of mechanisms. OpenStack wheel packages are pushed to pypi, docker images are pushed to Docker Hub and Quay and so on, tarballs.opendev.org <http://tarballs.opendev.org/> hosts other random artifacts as well. It sounds like you specifically need Github Releases though. Can you not trigger releases against mirrored content? I think that should work? You might need to be more specific about what the actual needs are here.

Awesome hint. I completely forgot we have tarballs.opendev.org <http://tarballs.opendev.org/>. This is absolutely sufficient for my case, but in general we may explore publishing to GitHub mirror releases while still doing development on gitea. That requires having GH app token though (that is actually where those Vault plugins are being useful - you just fetch the token from vault and it expires afterwards).

>> As such the point I am trying to address is that we as a very big 
>> project should be bit more open to the world of tools around OpenStack 
>> (I mean explicitly **not** the OpenStack itself) and allow easy 
>> integration for those who want to extend OpenStack ecosystem. Depending 
>> on the particular application this may set certain limitations on the 
>> solution (i.e. must be on GitHub, must use Jira, whatever) which might 
>> be not compatible out of box with the OpenDev scheme. Do we as a open 
>> community want to set strict boundaries or can we ease some of those 
>> for the ecosystem around of OpenStack?
>> - Would it be possible for the project hosted outside opendev be 
>> governed by OIF and somehow visually belong to OpenStack? (As a user I 
>> would definitely choose to use GitHub.com/openstack/project_x rather 
>> then GitHub.com/some_crappy_nic/project_x)
> OIF does have projects that are not hosted on OpenDev. Whether or not OpenStack wants to have projects hosted outside of OpenDev is probably the major item to sort out here.

Precisely this is the point. I am sure we can solve technical issues, but we need to have structural things clarified first - thus this discussion.
@foundation/tc - please comment.

>> - Can such project enjoy Zuul integration not being part of opendev git 
>> hosting? Technically it is surely possible (Ansible modules were tested 
>> this way), but requires in my eyes precise definition.
> The OpenDev team tried to provide CI integration with Github provided projects (some Kata repos) and found that we weren't able to do it at a level that was maintainable. Github itself poses a number of challenges, but we also found that projects there being even more disconnected were even less likely to be involved in helping themselves which is something that we currently rely on to make this collaboratory successful. All that to say we (the OpenDev team) cannot provide CI resources to Github repos.
> We do provide third party CI for a small number of projects with the expectation that people on the OpenDev hosted project side are able to care and feed for that.

Fair point. That is why I wrote that I would be able to support this (due to having maintainable solution working on our side). There should be just willingness and allowance to move into this direction.

> I think this calls out the fundamental disconnect here. We use open source tools because we believe that open source needs and should be built with open source tools. That does require a little bit of investment from the project side to ensure the tooling functions as needed and is maintained.

I would rather disagree with such statement: just because you host your code on a proprietary hosting (but make it freely available) does not mean your are violating this mission. I also believe we should be using open source tools (and we do that), but that doesn’t mean everyone else is breaking bad [not meant to be abusive statement].

Generally we have again here the same “infra” concerns in the discussion (which are already known historically, but anyway thanks for making them clear again), but what about other opinions? Are there any other thoughts or am I the only one interested to get this sorted out?

Just to repeat, my current case is really about a very strong desire and, I would say even need, to have gophercloud be very close to OpenStackSDK. Can we at least think about placing them under OpenStack GitHub org without Zuul access to have a better affiliation with OpenStack (gopher folks, hope you do not mind of such step. Or maybe we try to demonstrate here how to make this manageable with Zuul - reach me out if there is interest)?

>> P.S. For the case when zuul/github integration (management) is the only 
>> limiting factor I will be gladly supporting the integration and 
>> maintenance, since we have created an Ansible collection for managing 
>> of GitHub organisations/projects/teams/members (in the project-config 
>> spirit) which we use to manage our deployment (and I know others are 
>> using it as well).
>> Tell me what you think and let us, please, focus on how to cope with 
>> different expectations rather which one is right and which is wrong.
>> Thanks a lot,
>> Artem

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20220622/aed6907c/attachment-0001.htm>

More information about the openstack-discuss mailing list