GitLab.mdwn 15.6 KB
Newer Older
intrigeri's avatar
intrigeri committed
1
Tails issues and code are managed in [[!tails_gitlab "" desc="GitLab"]].
2

intrigeri's avatar
intrigeri committed
3
This page focuses on aspects of GitLab usage that are specific to Tails.
4 5 6 7

This workflow is not set in stone: it will evolve based on what
we learn while using GitLab.

intrigeri's avatar
intrigeri committed
8
For general GitLab usage information, see the
9
[[!tails_gitlab help/user desc="GitLab user documentation"]].
intrigeri's avatar
intrigeri committed
10 11

[[!toc levels=2]]
12

intrigeri's avatar
intrigeri committed
13
# Getting started
14

15 16 17 18
To create your GitLab account, visit the [[!tails_gitlab users/sign_in
desc="registration page"]] in a web browser.

Then you will be allowed to open new issues and merge requests.
19

intrigeri's avatar
intrigeri committed
20 21
Later on, if you need to do something in GitLab and you appear to lack the
needed credentials, please ask
22 23 24 25
[[tails-sysadmins@boum.org|about/contact#tails-sysadmins]] to grant
you more power. For example, you will need "Reporter" access on
the [[!tails_gitlab tails/tails]] project in order to add labels
or assign issues.
26

27 28 29 30 31 32 33 34
# Group and projects

All our work is tracked in projects under the [[!tails_gitlab tails
desc="tails group"]].

The main Git repository and most issues live in the [[!tails_gitlab tails/tails
desc="tails/tails project"]].

35
<a id="metadata"></a>
intrigeri's avatar
intrigeri committed
36
# How we use GitLab metadata
37 38 39 40

On GitLab, issues and merge requests have metadata.

Being consistent in the use of GitLab metadata makes collective work
intrigeri's avatar
intrigeri committed
41
smoother.
42 43 44 45 46 47 48 49 50 51 52 53 54 55 56

## Title and description

The title should be a short but clear description of what this is about.
Some people are case sensitive, please try to consider that.

## Status

### Open issues

Each open issue must have exactly 0 or 1 of these labels:

 - No such label: newly created issue that needs to be triaged
   by the UX team and Foundations Team.

57
 - _To Do_: it would be good if someone worked on this issue
58

59
 - _Doing_: someone is actively working on this issue
60

61
 - _Needs Validation_: a resolution has been proposed and needs to be reviewed.
62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153
   For details, see our [[merge policy|/contribute/merge_policy]].

### Closed issues

Closing an issue means one of:

 - The bugfix or feature the issue is about:
 
    - was merged and will be in a future release
    - or is already available to our users

   The _Milestone_ value tells in which case we are.

 - We've rejected it.
 
   For example: it does not fit into Tails' mission,
   or the problem shall be resolved elsewhere than in Tails.

   To reject an issue, create a comment that:
   
    - explains why you're rejecting it
    - adds the _Rejected_ label (`/label Rejected`)

 - It duplicates another issue.
 
   To mark an issue as a duplicate, create a comment that:
   
    - mentions the other, duplicated issue
    - adds the _Duplicate_ label (`/label Duplicate`)

<a id="assignee"></a>

## Assignee

We use the _Assignee_ field in a way that helps us organize share our
work as a team, focus on what matters most currently, and avoid
individual over-commitment & feelings of failure.

To this aim, most tasks should be up for grabs for anyone who has spare capacity
and the required skills: [Don't Lick the
Cookie](https://www.benday.com/2016/10/21/scrum-dont-lick-the-cookie/).

So in general, issues and merge requests should not be assigned to anyone. 

This being said, we do assign them if at least one of these conditions is
met:

 - Someone is actively working on it.

 - The task is both important and urgent.

 - The _Target version_ is set to the next Tails release.
   See the "Target version" section above for details.

 - We did all the work we could on this task already and now have to
   track progress on a blocker that we cannot address ourselves.
   For example, regularly tracking progress and pinging on patches
   we've submitted upstream.

 - Only one of us can complete the task. This helps identify
   bottlenecks, high bus factor, and over-commitment.

 - Sponsor deliverables that are managed under the "let's decide
   a long time in advance who exactly will do each task" paradigm.

 - It is about the parent ticket for a large project with several
   subtasks that will be tackled by different people, and we need
   someone to coordinate the project.

<a id="milestone"></a>

## Milestone

Different teams and contributors use the _Milestone_ value differently:

 - Some teams try their best to treat it as a commitment, that other Tails
   contributors should be able to rely on.
 - Others use it as a pool of tasks they want to have on their short-term radar.

For issues that are on the Tails [[!tails_roadmap]], the _Target version_ is set
to a year, until it makes sense to target a specific release.

Postponing to the next _Target version_ more than once is not business
as usual — it's a red flag. Ideally, the underlying problem should be identified
and addressed: for example, the assignee might need help or be over-committed;
the team could be under-staffed; or perhaps the task should simply not have
a _Target version_ in the first place.

## Priority

Every open issue must have exactly 0 or 1 of these labels:

154
 - _P:Low_: it would be good to do this, but it's unlikely
155 156
   that current Tails contributors find time to work on it
   any time soon
157 158 159 160
 - _P:Normal_, or no such label: this is the general case
 - _P:Elevated_
 - _P:High_
 - _P:Urgent_
161 162 163

## Category

164
We classify issues with labels whose name starts with _C:_.
165

166
For example, _C:Email Client_ or _C:Installation_.
167 168 169 170

## Type of work

To indicate the type of work that's needed to complete the next step
171
on an issue, we use labels whose name starts with _T:_.
172 173 174

For example:

175 176
 - _T:Debian_: the work shall be done in Debian
 - _T:End-user documentation_: everything below [[doc]] and [[support]]
177
    on our website
178
 - _T:Contributors documentation_: everything below [[contribute]]
179
    on our website
180
 - _T:Wait_: we are waiting/tracking actions we need non-Tails
181
   people to do, outside of Tails
182
 - _T:Website_: website work not covered by other options
183 184 185 186 187 188 189 190 191 192 193 194 195

## Other labels

 - _Starter_: issues flagged as *Starter* can be a good pick for new contributors
   [[Learn more|contribute/working_together/criteria_for_starter_tasks/]].

## Relationships between issues

Arguably, GitLab CE is a bit limited when it comes to expressing semantic
relationships between issues. Here is how we can overcome these limitations.

### Parent/subtask and Blocks relationship

196 197
A GitLab issue can have a
[[!tails_gitlab help/user/markdown.html#task-lists desc="task list"]].
198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215

Every task is a task list can be:

 - free-form text

 - a `#NNNN` link to another issue, that needs to be closed
   before the issue with the task list can itself be closed.

### Related issues

You can list related issues either in the description or in a comment.

Either way, this adds a message in the Activity stream of the
referenced issue, with a link to the referencing issue.

## Confidential issues

You can make an issue
216
[[!tails_gitlab help/user/project/issues/confidential_issues.html desc="confidential"]]
217 218 219 220 221 222
when creating it or at any later time.

A confidential issue is visible only by:

 - whoever created it
 - project members with at least
223 224
   [[!tails_gitlab help/user/permissions.html#project-members-permissions
   desc="Reporter"]]
intrigeri's avatar
intrigeri committed
225 226
   access; that is, for our [[!tails_gitlab tails/tails desc="main GitLab
   project"]]: most past and present Tails contributors
227 228

If your team regularly manipulates confidential data, then its issues live under
intrigeri's avatar
intrigeri committed
229 230
a dedicated GitLab project, with a different set of members, and possibly
configured so that new issues are confidential by default.
231

intrigeri's avatar
intrigeri committed
232 233 234
# How to document progress

See [[contribute/working_together/document_progress]].
235

intrigeri's avatar
intrigeri committed
236
# How to request and provide input
237

238 239 240 241 242 243 244 245 246 247
## How to participate in discussions

You can comment on issues and merge requests.
Our [[contribute/working_together/code_of_conduct]] applies.

If you want to start a new discussion, please use _Start thread_ instead of
_Comment_: a thread can be marked as resolved, while a comment cannot.
This helps keeping track of which discussions have reached a conclusion,
and which ones are still pending.

intrigeri's avatar
intrigeri committed
248
## Requesting input from someone else
249

intrigeri's avatar
intrigeri committed
250 251
If you need input from someone else on an issue or merge request,
ask your question in a comment there, mentioning them
252 253 254
with their GitLab login name: `@nick`. GitLab will send them
an email notification about it and add it to their To-Do list.

intrigeri's avatar
intrigeri committed
255
## Acting upon input requests
256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274

It's important to provide requested information as quickly as you can,
to make the Tails contribution process more efficient and enjoyable.

When input is requested from you on an issue or merge request with `@nick`:

 - GitLab adds an item in your
   [To-Do list](https://gitlab.tails.boum.org/dashboard/todos).

 - GitLab may send you an email notification

   Please ensure your GitLab email notification settings and your email setup
   allow you to receive and notice these messages.

When you receive such a request, if you cannot provide the requested input
immediately, you're responsible for keeping track of this task, for example via
the To-Do list, or by creating a new issue assigned to yourself, or using
whatever personal organization tools work for you.

intrigeri's avatar
intrigeri committed
275 276 277 278
# How to submit and review merge requests

See the [[contribute/merge_policy]].

intrigeri's avatar
intrigeri committed
279
# Email interface
280 281 282 283 284 285 286

Using the email address registered with your GitLab account,
you can:

 - Stay informed of what's happening in GitLab

   To do so, enable email
287
   [[!tails_gitlab help/user/profile/notifications.html desc="notifications"]].
288

289
 - Participate in [[!tails_gitlab help/user/discussions/ desc="discussions"]]
290 291 292 293 294 295 296 297 298
   on issues and merge requests, modify issues metadata

   To do so, reply to an email notification you've received from GitLab.
   
   Write your email just as if you [replied from the
   web].
   In particular:

    - Write your email in
299
      [[!tails_gitlab help/user/markdown.html Markdown]].
300
    - You can use
301
      [[!tails_gitlab help/user/project/quick_actions.html desc="Quick actions"]].
302 303 304

 - Create new issues
 
305
   See [[!tails_gitlab help/user/project/issues/managing_issues.html#new-issue-via-email desc="New issue via email"]]
306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332
   in the GitLab documentation.

# Core teams' work

Some of the teams who do
[[Core work|contribute/working_together/roles]] (be it paid or done on
a volunteer basis) maintain GitLab metadata in order to:

 * provide visibility on what they doing & their priorities;

 * give the Tails community some power over setting these priorities;

 * encourage the Tails community to help core workers define their
   priorities: they sometimes have a hard time deciding by themselves
   how they should spend their time on what matters the most to
   the project.

To track this, these teams use
[labels](https://gitlab.tails.boum.org/tails-team/-/labels)
whose name starts with *Core work*.

The teams who use this mechanism are more than happy to get feedback
about these priorities: both addition and removal suggestions are
welcome. Please check the mission statement for the corresponding team
first, to ensure you're not asking them to do something that's outside
of the scope of their job. And please justify your suggestions.
Please check these views once in a while and talk to us! :)
intrigeri's avatar
intrigeri committed
333

intrigeri's avatar
intrigeri committed
334 335 336 337 338 339 340 341 342 343 344 345 346 347 348
<a id="operations"></a>

# Operations

## Administration of GitLab

Our friends at <https://www.immerda.ch/> host [[!tails_gitlab desc="our GitLab
instance"]].

The Tails [[system administrators|working_together/roles/sysadmins]]
administrate this GitLab instance.

<a id="access-control"></a>

## Access control
intrigeri's avatar
intrigeri committed
349 350 351 352

XXX: document the process to grant access level to users, once this [is
implemented](https://salsa.debian.org/tails-team/gitlab-migration/issues/33).

intrigeri's avatar
intrigeri committed
353
### Objects
intrigeri's avatar
intrigeri committed
354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381

 - _Canonical Git repo_: the authoritative [[!tails_gitlab tails/tails]]
   repository, hosted on GitLab

 - _Major branches_: `master`, `stable`, `testing`, `devel`,
   and possibly `feature/bullseye`

 - _Release tags_: a signed Git tag that identifies the source code
   used to build a specific Tails release; currently all tags
   in the authoritative `tails.git` repository are release tags;
   the tag name is a version number, with '~' replaced by '-'.

 - _Particularly sensitive data_: confidential data that specific teams
   like Fundraising and Accounting need to handle, but that other
   contributors generally don't need direct access to. This definitely
   include issues; this might include Git repositories at some point.

   Note that as of 2020-03-29, it is undefined:

    - What subset of this data can go to a web-based issue tracker or not.<br/>
      This is already a problem with Redmine.<br/>
      Fixing this will require discussions between various stakeholders.

    - What subset of this data could live in a cleartext Git
      repository hosted here or there, as opposed to requiring
      end-to-end encryption between members of these teams.
      This is a hypothetical problem for now.

intrigeri's avatar
intrigeri committed
382
### Subjects
intrigeri's avatar
intrigeri committed
383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426

 - An _admin_ can do anything that other roles can, and:
   - can delete issues
   - can edit team membership
   - MUST comply with our "Level 3" security policy
   - can view issues that contain particularly sensitive data

 - A _committer_:
   - can push and force-push to any ref in the canonical Git repo,
     including major branches and release tags;<br/>
     incidentally, this ensures the following requirement is met:
   - their branches are picked up by Jenkins; it follows that they
     MUST comply with our "Infrastructure" security policy
   - can merge MRs into major branches
   - can modify issues metadata
   - is allowed to view confidential issues in the [[!tails_gitlab tails/tails]]
     GitLab project; that's OK, because particularly sensitive data
     lives somewhere else, with stricter access control
   - can edit other users' comments
   - MAY be allowed to add new team members
   - MUST comply with our "Level 3" security policy

 - A _regular, particularly trusted contributor_:
   - can push and force-push to a subset of refs in the canonical Git repo;
     this subset MUST NOT include any major branch nor release tag;<br/>
     this is required to ensure the following requirement is met:
   - their branches are picked up by Jenkins; it follows that they
     MUST comply with our "Infrastructure" security policy
   - can modify issues metadata
   - is allowed to view confidential issues in the [[!tails_gitlab tails/tails]]
     GitLab project; that's OK, because particularly sensitive data
     lives somewhere else, with stricter access control

 - A _regular contributor_:
   - can fork the Git repositories and push changes to their own fork
   - can modify issues metadata
   - is allowed to view confidential issues in the [[!tails_gitlab tails/tails]]
     GitLab project; that's OK, because particularly sensitive data
     lives somewhere else, with stricter access control

 - _Anybody with a GitLab account_ on the instance we use:
   - can submit issues
   - can submit MRs

intrigeri's avatar
intrigeri committed
427
### Implementation
intrigeri's avatar
intrigeri committed
428

intrigeri's avatar
intrigeri committed
429
#### Relevant GitLab doc
intrigeri's avatar
intrigeri committed
430

431 432 433 434
 - [[!tails_gitlab help/user/permissions.html desc="Permissions"]]
 - [[!tails_gitlab help/user/project/merge_requests/authorization_for_merge_requests.html desc="Authorization for Merge requests"]]
 - [[!tails_gitlab help/user/project/protected_branches.html desc="Protected Branches"]]
 - [[!tails_gitlab help/user/group/ desc="Groups"]]
intrigeri's avatar
intrigeri committed
435

intrigeri's avatar
intrigeri committed
436
#### Access levels
intrigeri's avatar
intrigeri committed
437

438 439 440
We use the [[!tails_gitlab
help/user/project/merge_requests/authorization_for_merge_requests.html#protected-branch-flow
desc="Protected branch flow"]]:
intrigeri's avatar
intrigeri committed
441 442 443 444 445 446 447 448 449 450 451

 - Our major branches and release tags are marked as "Protected".
 - Committers get "Maintainer" access.
 - Regular, particularly trusted contributors, who are not granted full commit
   access but have access to our CI, get "Developer" access. They can push
   a topic branch to the canonical Git repository and our CI will pick it up.
   They can also modify any non-protected topic branch.
 - Other contributors get access strictly lower than "Developer".
   They push topic branches to their own fork of the repository and
   create merge requests.
 - Our Jenkins CI jobs generation process is the same as in pre-GitLab days.
452