Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Debian Development (http://www.linux-archive.org/debian-development/)
-   -   Refactoring the Debtags web interface (http://www.linux-archive.org/debian-development/250339-refactoring-debtags-web-interface.html)

Enrico Zini 02-22-2009 02:56 PM

Refactoring the Debtags web interface
 
Hello,

I've started to ponder a decent redesign of the Debtags web interface,
that will be hosted at debtags.debian.net. I'd like to post here my
intentions, as a sort of RFC. Comments are welcome.

New features that I think are needed:

- workflow changes:
- form subcommittees by broad topics: "The Gnome Guys", "The KDE Guys",
"The Web Developers", "The Photographers" and so on, and give them
the ultimate say on a set of tags, including being able to say "these
packages are ok and reviewed now, disallow edits for all our tags on
them".
- support tags coming from external sources (like security team or
QA) and displayed by the site but never updated via the site

- web interface for reviewing anonymous tag submissions
- global (review all submissions)
- maintainer specific (review submissions related to my packages)
- interest specific (review submissions related to a set of
interesting tags; for example, the ocaml maintainers may want to
review changes to the *::ocaml tags)

- auditing
- track the history of tag changes for a package


About authenticated access:

- I do not want to maintain another user/password database: this should
be done with Openid and a whitelist of identity providers that every
DD can easily use (like alioth or debian)


About implementation details:

- SQL Database to track the workflow
- History of tags assigned / removed from a package
- Track who assigned / removed a tag
Anon users, Member of team X, Autotagger X, Tag reviewer
- Track the origin of a tag
(website, qa, secteam, team X)
- Track if a tag change has been reviewed
- Unchangeable ("definitive") tag changes
- Generate tag sets to feed autotaggers and whatnot
- Review
- Unreview
- Reviewed or unreviewed plus one or more other sources
- Database of contributors
- anonymous / openid identifier / external tag source / data mining
program
- Track the contributors of tag changes
- Privilege tables for contributors
- is a maintainer / uploader of
- is member of group
- is member of debtags
(would it be possible to get list of group members from alioth?)
- Database with package information, for display purposes only
- Regularly updated via dde.debian.net

- Xapian Index
- Used for searches
- Used for suggestions
- Regularly updated via dde.debian.net
- Needs to have the latest unreviewed tags, so that suggestions are updated in
real time as people tag


Milestones:

- Create the SQL Database
- Import historical tagdbs from alioth, to simulate a tag update history
- Regular imports from alioth
- Regular updates from DDE

- Create the Xapian database
- Regular updates from DDE

- Services as a slave interface to the authoritative data on
debtags.a.d.o

- First useful services
- Tag review pages

- Feature parity with debtags.a.d.o
- Port the maintenance procedures
- Become the authoritative tag database
- Setup redirect from debtags.a.d.o


Ciao,

Enrico

--
GPG key: 1024D/797EBFAB 2000-12-05 Enrico Zini <enrico@debian.org>

Andreas Tille 02-22-2009 04:34 PM

Refactoring the Debtags web interface
 
On Sun, 22 Feb 2009, Enrico Zini wrote:


- workflow changes:
- form subcommittees by broad topics: "The Gnome Guys", "The KDE Guys",
"The Web Developers", "The Photographers" and so on, and give them
the ultimate say on a set of tags, including being able to say "these
packages are ok and reviewed now, disallow edits for all our tags on
them".


Very reasonable.


- maintainer specific (review submissions related to my packages)


Reasonable.


- interest specific (review submissions related to a set of
interesting tags; for example, the ocaml maintainers may want to
review changes to the *::ocaml tags)


Very reasonable.


- auditing
- track the history of tag changes for a package


The only reason I see here mihght be to track down "Debtag-Vandalism".


About authenticated access:

- I do not want to maintain another user/password database: this should
be done with Openid and a whitelist of identity providers that every
DD can easily use (like alioth or debian)


... and I do not want to remember just another password - so yes, please
try to use plugins to debian LDAP or Alioth.


- SQL Database to track the workflow
- Track who assigned / removed a tag
Anon users, Member of team X, Autotagger X, Tag reviewer


IMHO important for Debtags QA.


- Unchangeable ("definitive") tag changes


Hmmm, "unchangeable" - is there anything in this world unchangeable? ;-)


- Privilege tables for contributors
- is a maintainer / uploader of
- is member of group


Seems to be consistent with what you suggested above -> very reasonable.


- Xapian Index


I have to less knowledge about Xapian to give reasonable comments here.


Ciao,


I'd really like to thanks you at this place for your continous work for
Debtags!

Kind regards

Andreas.

--
http://fam-tille.de


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Raphael Geissert 02-22-2009 09:32 PM

Refactoring the Debtags web interface
 
Enrico Zini wrote:
[...]
>
> - I do not want to maintain another user/password database: this should
> be done with Openid and a whitelist of identity providers that every
> DD can easily use (like alioth or debian)
>

Why not use the DDs and DMs keyrings? just make them sign a given random
token and submit it.

Cheers,
Raphael Geissert


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Erich Schubert 02-22-2009 09:48 PM

Refactoring the Debtags web interface
 
Hi,Why not use the DDs and DMs keyrings? just make them sign a given random


token and submit it.
Debtags used to have a very liberal contribution policy - anonymous - and that helped a lot getting the intial data in.
It has always been a goal to make contributing to Debtags as easy as possible, not as secure as possible (especially at the benefit of what?).


Thus I like the idea of people authenticating using alioth, OpenID and similar.

best regards,
Erich Schubert

Enrico Zini 02-22-2009 10:15 PM

Refactoring the Debtags web interface
 
On Sun, Feb 22, 2009 at 04:32:06PM -0600, Raphael Geissert wrote:
> Enrico Zini wrote:
> [...]
> > - I do not want to maintain another user/password database: this should
> > be done with Openid and a whitelist of identity providers that every
> > DD can easily use (like alioth or debian)
> Why not use the DDs and DMs keyrings? just make them sign a given random
> token and submit it.

It's rather cumbersome: I wouldn't like to ask people to do that every
time they log into the website, not even every once in a while to
regenerate an authentication cookie.

But did I recall reading that Alioth, or debian.org, can be OpenID
providers? If I can use that, I solved the problem, otherwise, I may
just postpone implementing authenticated stuff until handy OpenID
providers happen in Debian.


Ciao,

Enrico

--
GPG key: 1024D/797EBFAB 2000-12-05 Enrico Zini <enrico@debian.org>

Ben Finney 02-22-2009 11:00 PM

Refactoring the Debtags web interface
 
Enrico Zini <enrico@enricozini.org> writes:

> About authenticated access:
>
> - I do not want to maintain another user/password database: this
> should be done with Openid

I heartily applaud this decision.

> and a whitelist of identity providers that every DD can easily use
> (like alioth or debian)

What of those that use an OpenID provider not on the whitelist? (I
imagine some not insignificant number of hackers run their own
personal OpenID server, so an ever-expanding whitelist seems not to
address the issue.)

What of non-DDs who do not necessarily have an account on any of those
services, but are still valid users for authenticating in the Debtags
system?

--
“Free thought is a necessary, but not a sufficient, condition |
` for democracy.” —Carl Sagan |
_o__) |
Ben Finney


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Stefano Zacchiroli 02-23-2009 06:46 AM

Refactoring the Debtags web interface
 
On Sun, Feb 22, 2009 at 11:15:36PM +0000, Enrico Zini wrote:
> But did I recall reading that Alioth, or debian.org, can be OpenID
> providers? If I can use that, I solved the problem, otherwise, I
> may just postpone implementing authenticated stuff until handy
> OpenID providers happen in Debian.

The last memory I've about this is a GSoC project from some years ago,
which was not assigned to any student (or did not reach its goal
FWIW).

--
Stefano Zacchiroli -o- PhD in Computer Science PostDoc @ Univ. Paris 7
zack@{upsilon.cc,pps.jussieu.fr,debian.org} -<>- http://upsilon.cc/zack/
Dietro un grande uomo c' ..| . |. Et ne m'en veux pas si je te tutoie
sempre uno zaino ...........| ..: |.... Je dis tu tous ceux que j'aime

Roland Mas 02-23-2009 07:35 AM

Refactoring the Debtags web interface
 
Enrico Zini, 2009-02-22 23:15:36 +0000 :

> But did I recall reading that Alioth, or debian.org, can be OpenID
> providers?

Not currently. Every once in a while somebody pops up and talks about
implementing an OpenID provider plugin, but it hasn't appeared yet.
If someone feels like going further, I (with my FusionForge
upstream+maintainer and Alioth hats) would be happy to provide
support, guidance and testing.

Roland.
--
Roland Mas

Food, shelter, source code.
-- Cyclic Software


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Enrico Zini 02-23-2009 08:54 AM

Refactoring the Debtags web interface
 
On Mon, Feb 23, 2009 at 11:00:06AM +1100, Ben Finney wrote:

> > and a whitelist of identity providers that every DD can easily use
> > (like alioth or debian)
>
> What of those that use an OpenID provider not on the whitelist? (I
> imagine some not insignificant number of hackers run their own
> personal OpenID server, so an ever-expanding whitelist seems not to
> address the issue.)
>
> What of non-DDs who do not necessarily have an account on any of those
> services, but are still valid users for authenticating in the Debtags
> system?

Fair enough, any OpenID server will probably do, as long as being
authenticated doesn't automatically authorize any privileges.

If Debian were an OpenID provider, then using the Debian OpenID could
automatically give some authorization, like assuming that one is a DD.
That could have been handy, but indeed not particularly needed.

In fact, since neither Alioth nor Debian currently can act as an OpenID
provider, this looks like the only way to go.


Ciao,

Enrico

--
GPG key: 1024D/797EBFAB 2000-12-05 Enrico Zini <enrico@debian.org>

Peter Palfrader 02-23-2009 10:09 AM

Refactoring the Debtags web interface
 
On Mon, 23 Feb 2009, Enrico Zini wrote:

> If Debian were an OpenID provider, then using the Debian OpenID could
> automatically give some authorization, like assuming that one is a DD.
> That could have been handy, but indeed not particularly needed.

As openid provides no security whatsoever there's probably not a big
chance of us (as in DSA) hopping onto the openid hype any time soon.

--
| .'`. ** Debian GNU/Linux **
Peter Palfrader | : :' : The universal
http://www.palfrader.org/ | `. `' Operating System
| `- http://www.debian.org/


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org


All times are GMT. The time now is 12:55 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.