GitLab.mdwn 15.1 KB
Newer Older
intrigeri's avatar
intrigeri committed
1
Tails issues are managed in [[!tails_gitlab "" desc="GitLab"]].
2

intrigeri's avatar
intrigeri committed
3
This page focuses on aspects of GitLab usage that are specific to Tails.
intrigeri's avatar
intrigeri committed
4 5
For general GitLab usage information, see the
[GitLab user documentation](https://docs.gitlab.com/ce/user/).
intrigeri's avatar
intrigeri committed
6 7

[[!toc levels=2]]
8

intrigeri's avatar
intrigeri committed
9
# Getting started
10

11 12 13 14
To create your GitLab account, visit the [[!tails_gitlab users/sign_in
desc="registration page"]] in a web browser.

Then you will be allowed to open new issues and merge requests.
15

intrigeri's avatar
intrigeri committed
16 17
Later on, if you need to do something in GitLab and you appear to lack the
needed credentials, please ask
18 19 20 21
[[tails-sysadmins@boum.org|about/contact#tails-sysadmins]] to grant
you more power. For example, you will need "Reporter" access on
the [[!tails_gitlab tails/tails]] project in order to add labels
or assign issues.
22 23

<a id="metadata"></a>
intrigeri's avatar
intrigeri committed
24
# How we use GitLab metadata
25 26 27 28

On GitLab, issues and merge requests have metadata.

Being consistent in the use of GitLab metadata makes collective work
intrigeri's avatar
intrigeri committed
29
smoother.
30 31 32 33 34 35 36 37 38 39 40 41 42 43 44

## Title and description

The title should be a short but clear description of what this is about.
Some people are case sensitive, please try to consider that.

## Status

### Open issues

Each open issue must have exactly 0 or 1 of these labels:

 - No such label: newly created issue that needs to be triaged
   by the UX team and Foundations Team.

45
 - _1. To do_: it would be good if someone worked on this issue
46

47
 - _2. Doing_: someone is actively working on this issue
48

49
 - _3. Needs Validation_: a resolution has been proposed and needs to be reviewed.
50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211
   For details, see our [[merge policy|/contribute/merge_policy]].

### Closed issues

Closing an issue means one of:

 - The bugfix or feature the issue is about:
 
    - was merged and will be in a future release
    - or is already available to our users

   The _Milestone_ value tells in which case we are.

 - We've rejected it.
 
   For example: it does not fit into Tails' mission,
   or the problem shall be resolved elsewhere than in Tails.

   To reject an issue, create a comment that:
   
    - explains why you're rejecting it
    - adds the _Rejected_ label (`/label Rejected`)

 - It duplicates another issue.
 
   To mark an issue as a duplicate, create a comment that:
   
    - mentions the other, duplicated issue
    - adds the _Duplicate_ label (`/label Duplicate`)

<a id="assignee"></a>

## Assignee

We use the _Assignee_ field in a way that helps us organize share our
work as a team, focus on what matters most currently, and avoid
individual over-commitment & feelings of failure.

To this aim, most tasks should be up for grabs for anyone who has spare capacity
and the required skills: [Don't Lick the
Cookie](https://www.benday.com/2016/10/21/scrum-dont-lick-the-cookie/).

So in general, issues and merge requests should not be assigned to anyone. 

This being said, we do assign them if at least one of these conditions is
met:

 - Someone is actively working on it.

 - The task is both important and urgent.

 - The _Target version_ is set to the next Tails release.
   See the "Target version" section above for details.

 - We did all the work we could on this task already and now have to
   track progress on a blocker that we cannot address ourselves.
   For example, regularly tracking progress and pinging on patches
   we've submitted upstream.

 - Only one of us can complete the task. This helps identify
   bottlenecks, high bus factor, and over-commitment.

 - Sponsor deliverables that are managed under the "let's decide
   a long time in advance who exactly will do each task" paradigm.

 - It is about the parent ticket for a large project with several
   subtasks that will be tackled by different people, and we need
   someone to coordinate the project.

<a id="milestone"></a>

## Milestone

Different teams and contributors use the _Milestone_ value differently:

 - Some teams try their best to treat it as a commitment, that other Tails
   contributors should be able to rely on.
 - Others use it as a pool of tasks they want to have on their short-term radar.

For issues that are on the Tails [[!tails_roadmap]], the _Target version_ is set
to a year, until it makes sense to target a specific release.

Postponing to the next _Target version_ more than once is not business
as usual — it's a red flag. Ideally, the underlying problem should be identified
and addressed: for example, the assignee might need help or be over-committed;
the team could be under-staffed; or perhaps the task should simply not have
a _Target version_ in the first place.

## Priority

Every open issue must have exactly 0 or 1 of these labels:

 - _P: Low_: it would be good to do this, but it's unlikely
   that current Tails contributors find time to work on it
   any time soon
 - _P: Normal_, or no such label: this is the general case
 - _P: Elevated_
 - _P: High_
 - _P: Urgent_

## Category

We classify issues with labels whose name starts with _C: _.

For example, _C: Email Client_ or _C: Installation_.

## Type of work

To indicate the type of work that's needed to complete the next step
on an issue, we use labels whose name starts with _T: _.

For example:

 - _T: Debian_: the work shall be done in Debian
 - _T: End-user documentation_: everything below [[doc]] and [[support]]
    on our website
 - _T: Contributors documentation_: everything below [[contribute]]
    on our website
 - _T: Wait_: we are waiting/tracking actions we need non-Tails
   people to do, outside of Tails
 - _T: Website_: website work not covered by other options

## Other labels

 - _Starter_: issues flagged as *Starter* can be a good pick for new contributors
   [[Learn more|contribute/working_together/criteria_for_starter_tasks/]].

## Relationships between issues

Arguably, GitLab CE is a bit limited when it comes to expressing semantic
relationships between issues. Here is how we can overcome these limitations.

### Parent/subtask and Blocks relationship

A GitLab issue can have a [task
list](https://docs.gitlab.com/ce/user/markdown.html#task-lists).

Every task is a task list can be:

 - free-form text

 - a `#NNNN` link to another issue, that needs to be closed
   before the issue with the task list can itself be closed.

### Related issues

You can list related issues either in the description or in a comment.

Either way, this adds a message in the Activity stream of the
referenced issue, with a link to the referencing issue.

## Confidential issues

You can make an issue
[confidential](https://docs.gitlab.com/ce/user/project/issues/confidential_issues.html)
when creating it or at any later time.

A confidential issue is visible only by:

 - whoever created it
 - project members with at least
   [Reporter](https://docs.gitlab.com/ce/user/permissions.html#project-members-permissions)
intrigeri's avatar
intrigeri committed
212 213
   access; that is, for our [[!tails_gitlab tails/tails desc="main GitLab
   project"]]: most past and present Tails contributors
214 215

If your team regularly manipulates confidential data, then its issues live under
intrigeri's avatar
intrigeri committed
216 217
a dedicated GitLab project, with a different set of members, and possibly
configured so that new issues are confidential by default.
218

intrigeri's avatar
intrigeri committed
219 220 221
# How to document progress

See [[contribute/working_together/document_progress]].
222

intrigeri's avatar
intrigeri committed
223
# How to request and provide input
224

225 226 227 228 229 230 231 232 233 234
## How to participate in discussions

You can comment on issues and merge requests.
Our [[contribute/working_together/code_of_conduct]] applies.

If you want to start a new discussion, please use _Start thread_ instead of
_Comment_: a thread can be marked as resolved, while a comment cannot.
This helps keeping track of which discussions have reached a conclusion,
and which ones are still pending.

intrigeri's avatar
intrigeri committed
235
## Requesting input from someone else
236

intrigeri's avatar
intrigeri committed
237 238
If you need input from someone else on an issue or merge request,
ask your question in a comment there, mentioning them
239 240 241
with their GitLab login name: `@nick`. GitLab will send them
an email notification about it and add it to their To-Do list.

intrigeri's avatar
intrigeri committed
242
## Acting upon input requests
243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261

It's important to provide requested information as quickly as you can,
to make the Tails contribution process more efficient and enjoyable.

When input is requested from you on an issue or merge request with `@nick`:

 - GitLab adds an item in your
   [To-Do list](https://gitlab.tails.boum.org/dashboard/todos).

 - GitLab may send you an email notification

   Please ensure your GitLab email notification settings and your email setup
   allow you to receive and notice these messages.

When you receive such a request, if you cannot provide the requested input
immediately, you're responsible for keeping track of this task, for example via
the To-Do list, or by creating a new issue assigned to yourself, or using
whatever personal organization tools work for you.

intrigeri's avatar
intrigeri committed
262 263 264 265
# How to submit and review merge requests

See the [[contribute/merge_policy]].

intrigeri's avatar
intrigeri committed
266
# Email interface
267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319

Using the email address registered with your GitLab account,
you can:

 - Stay informed of what's happening in GitLab

   To do so, enable email
   [notifications](https://docs.gitlab.com/ce/user/profile/notifications.html).

 - Participate in [discussions](https://docs.gitlab.com/ce/user/discussions/)
   on issues and merge requests, modify issues metadata

   To do so, reply to an email notification you've received from GitLab.
   
   Write your email just as if you [replied from the
   web].
   In particular:

    - Write your email in
      [Markdown](https://docs.gitlab.com/ce/user/markdown.html).
    - You can use
      [Quick actions](https://docs.gitlab.com/ce/user/project/quick_actions.html).

 - Create new issues
 
   See [New issue via email](https://docs.gitlab.com/ce/user/project/issues/managing_issues.html#new-issue-via-email)
   in the GitLab documentation.

# Core teams' work

Some of the teams who do
[[Core work|contribute/working_together/roles]] (be it paid or done on
a volunteer basis) maintain GitLab metadata in order to:

 * provide visibility on what they doing & their priorities;

 * give the Tails community some power over setting these priorities;

 * encourage the Tails community to help core workers define their
   priorities: they sometimes have a hard time deciding by themselves
   how they should spend their time on what matters the most to
   the project.

To track this, these teams use
[labels](https://gitlab.tails.boum.org/tails-team/-/labels)
whose name starts with *Core work*.

The teams who use this mechanism are more than happy to get feedback
about these priorities: both addition and removal suggestions are
welcome. Please check the mission statement for the corresponding team
first, to ensure you're not asking them to do something that's outside
of the scope of their job. And please justify your suggestions.
Please check these views once in a while and talk to us! :)
intrigeri's avatar
intrigeri committed
320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423

# Access control

XXX: document the process to grant access level to users, once this [is
implemented](https://salsa.debian.org/tails-team/gitlab-migration/issues/33).

## Objects

 - _Canonical Git repo_: the authoritative [[!tails_gitlab tails/tails]]
   repository, hosted on GitLab

 - _Major branches_: `master`, `stable`, `testing`, `devel`,
   and possibly `feature/bullseye`

 - _Release tags_: a signed Git tag that identifies the source code
   used to build a specific Tails release; currently all tags
   in the authoritative `tails.git` repository are release tags;
   the tag name is a version number, with '~' replaced by '-'.

 - _Particularly sensitive data_: confidential data that specific teams
   like Fundraising and Accounting need to handle, but that other
   contributors generally don't need direct access to. This definitely
   include issues; this might include Git repositories at some point.

   Note that as of 2020-03-29, it is undefined:

    - What subset of this data can go to a web-based issue tracker or not.<br/>
      This is already a problem with Redmine.<br/>
      Fixing this will require discussions between various stakeholders.

    - What subset of this data could live in a cleartext Git
      repository hosted here or there, as opposed to requiring
      end-to-end encryption between members of these teams.
      This is a hypothetical problem for now.

## Subjects

 - An _admin_ can do anything that other roles can, and:
   - can delete issues
   - can edit team membership
   - MUST comply with our "Level 3" security policy
   - can view issues that contain particularly sensitive data

 - A _committer_:
   - can push and force-push to any ref in the canonical Git repo,
     including major branches and release tags;<br/>
     incidentally, this ensures the following requirement is met:
   - their branches are picked up by Jenkins; it follows that they
     MUST comply with our "Infrastructure" security policy
   - can merge MRs into major branches
   - can modify issues metadata
   - is allowed to view confidential issues in the [[!tails_gitlab tails/tails]]
     GitLab project; that's OK, because particularly sensitive data
     lives somewhere else, with stricter access control
   - can edit other users' comments
   - MAY be allowed to add new team members
   - MUST comply with our "Level 3" security policy

 - A _regular, particularly trusted contributor_:
   - can push and force-push to a subset of refs in the canonical Git repo;
     this subset MUST NOT include any major branch nor release tag;<br/>
     this is required to ensure the following requirement is met:
   - their branches are picked up by Jenkins; it follows that they
     MUST comply with our "Infrastructure" security policy
   - can modify issues metadata
   - is allowed to view confidential issues in the [[!tails_gitlab tails/tails]]
     GitLab project; that's OK, because particularly sensitive data
     lives somewhere else, with stricter access control

 - A _regular contributor_:
   - can fork the Git repositories and push changes to their own fork
   - can modify issues metadata
   - is allowed to view confidential issues in the [[!tails_gitlab tails/tails]]
     GitLab project; that's OK, because particularly sensitive data
     lives somewhere else, with stricter access control

 - _Anybody with a GitLab account_ on the instance we use:
   - can submit issues
   - can submit MRs

## Implementation

### Relevant GitLab doc

 - [Permissions](https://docs.gitlab.com/ee/user/permissions.html)
 - [Authorization for Merge requests](https://docs.gitlab.com/ce/user/project/merge_requests/authorization_for_merge_requests.html)
 - [Protected Branches](https://docs.gitlab.com/ce/user/project/protected_branches.html)
 - [Groups](https://docs.gitlab.com/ee/user/group/)

### Access levels

We use the [Protected branch
flow](https://docs.gitlab.com/ce/user/project/merge_requests/authorization_for_merge_requests.html#protected-branch-flow):

 - Our major branches and release tags are marked as "Protected".
 - Committers get "Maintainer" access.
 - Regular, particularly trusted contributors, who are not granted full commit
   access but have access to our CI, get "Developer" access. They can push
   a topic branch to the canonical Git repository and our CI will pick it up.
   They can also modify any non-protected topic branch.
 - Other contributors get access strictly lower than "Developer".
   They push topic branches to their own fork of the repository and
   create merge requests.
 - Our Jenkins CI jobs generation process is the same as in pre-GitLab days.