Design Considerations for maintainers of packages & namespaces.

[arteevraina]

In the project, there have been discussions on namespace maintainers & package maintainers.
Let's say if we have multiple packages under a namespace and if the admin adds a new maintainer to the namespace then the newly added maintainer will have access to all the packages that are listed under that namespace.

But, on the other hand, if we only have maintainers of the package. So, this security issue won't be there as that newly added maintainer will have access to that only package under that namespace and other packages will be not accessible to the maintainer.

On the other hand, we can allow user to add maintainers to the packages as well as to the namespaces. The logic will be similar, only the entity package will be changed with the namespace.

So, if an admin adds a user as a maintainer to the namespace, the user will be now the maintainer of all the packages under that namespace and if admin adds a user as a maintainer to the package, the user will be the maintainer of the package only.

Also, we can allow to remove maintainers from the packages easily. For removing maintainers from the namespaces, we can have multiple solutions. So, if a user wants to remove a maintainer from namespace, the maintainer can be directly removed from all the packages under that namespace or they can ask the backend to keep the user as the maintainer of the packages and only remove the maintainer from the namespace.

It would be really helpful if can gather a wider community feedback to better implement this feature. @fortran-lang/fpm @minhqdao @perazz @henilp105

[minhqdao]

What is the actual question? 😅

So it seems like you want to have:

• Namespace maintainers
• Package maintainers
• Namespace maintainers automatically being a package maintainer for all the packages within the namespace
• Optional removal of all package maintenance rights within the namespace when the namespace maintenance rights are being removed for a user
• A warning if the user still has namespace maintenance rights when package maintenance rights are being removed

I guess that sounds sensible to me.

[arteevraina]

What is the actual question? sweat_smile

So it seems like you want to have:

* Namespace maintainers

* Package maintainers

* Namespace maintainers automatically being a package maintainer for all the packages within the namespace

* Optional removal of all package maintenance rights within the namespace when the namespace maintenance rights are being removed for a user

* A warning if the user still has namespace maintenance rights when package maintenance rights are being removed

I guess that sounds sensible to me.

Yes, @minhqdao. I am actually considering whether to have the maintainers in a namespace or not for the MVP. It also depends on the organizations that will be planning to use our registry and if the need arises maintainers of the namespace feature can be integrated as well.

[minhqdao]

I don't think it's the most important thing for the MVP but being able to add namespace maintainers is a useful feature, I'd say. You won't have to add them to every individual package.

[perazz]

I like the way this feature is designed, I'm no expert in this but I would think that organizations use a namespace to oversee all their packages, so I agree that the users that are designated as namespace maintainers should be able to operate on all the packages in the namespace.

So, if a user wants to remove a maintainer from namespace, the maintainer can be directly removed from all the packages under that namespace or they can ask the backend to keep the user as the maintainer of the packages and only remove the maintainer from the namespace.

Yes, I also agree that when removing maintainer rights, namespace maintainers should probably be able to have both options, for example:

• user maintains 3 packages in a namespace that has 10 packages.
• user is promoted to namespace maintainer -> can now oversee all 10 packages.
• Another namespace maintainer or admin wants to remove user from the namespace maintainer:
  -- removed from namespace only -> user can still maintain the 3 packages it was previously maintaining
  -- total removal -> user does not maintain any packages in the namespace anymore.

Makes sense?

[minhqdao]

Think we're all on the same page here.

[henilp105]

@arteevraina it seems to be the most apt solution for the MVP.