On Wed, May 01, 2024 at 23:26:18 +0200, Mark Wielaard wrote: > On Wed, May 01, 2024 at 04:04:37PM -0400, Jason Merrill wrote: > > Do you (or others) have any thoughts about GitLab FOSS? > > The gitlab "community edition" still feels not very much "community". > We could run our own instance, but it will still be "open core" with > features missing to try to draw you towards the proprietary hosted > saas version. Also it seems to have way too much overhead. The focus > is clearly corporate developers where managers want assurances the > mandatory "pipelines" are executed and "workflows" followed exactly.
I'll offer my experience here. We (at Kitware) have been using GitLab FOSS for around 8 years. We can't use the other editions because of the per-account pricing and having open registration (since pretty much everything there is FOSS code). GitLab is receptive to patches sent their way and have considered moving things to the FOSS edition to help large FOSS organizations (freedesktop.org, GNOME, KDE, probably others too). There's also been discussion of implementing features such as commit message review in order to court Linux developers given forge-like discussion happening there. FWIW, Fedora is also looking at forges as well: https://discussion.fedoraproject.org/t/2024-git-forge-evaluation/111795 That said, there are definitely gaps to fill. We have our tooling here: https://gitlab.kitware.com/utils/rust-ghostflow (core actions) https://gitlab.kitware.com/utils/ghostflow-director (service deployment) We use it to implement things including: - Basic content checks (scripts are executable, no binaries, file size limits, formatting, etc.) either on a commit-by-commit basis or by looking at the MR (patch series, PR, whatever the forge calls it) as a whole. Docs for currently-implemented checks are here: https://gitlab.kitware.com/utils/rust-ghostflow/-/blob/master/ghostflow-cli/doc/checks.md - Reformatting upon request; if the formatter(s) in use supports writing the content as intended, there is code to rewrite each individual patch to conform. This avoids wasting time on either side for things that can be done automatically (of course, you're also at the mercy of what the formatter wants…I find it worth it on balance). - More advanced merging including gathering trailers for the merge commit message from comments and other metadata including `Reviewed-by` and `Tested-by` (also from CI). Also supported is merging into multiple branches at once (e.g., backports to older branches with a single MR). - Merge train support (we call it the "stage"); this feature is otherwise locked behind for-pay editions of GitLab. Right now, GitLab and Github are supported, but other forges can be supported as well. In addition to the service (which is triggered by webhook delivery), there's a command line tool for local usage (though it only implements checking and reformatting at the moment mainly due to a lack of available time to work on it). There are other things that are probably of interest to supply chain or other things such as: - every push is stored in a ghostflow-director-side unique ref (`refs/mr/ID/heads/N` where `N` is an incrementing integer) to avoid forge-side garbage collection (especially problematic on Github; I've not noticed GitLab collecting so eagerly) - all webhooks are delivered via filesystem and can be archived (`webhook-listen` is the program that listens and delivers them: https://gitlab.kitware.com/utils/webhook-listen); events which trigger failures are stored with some context about what happened; those that are ignored are stored with a reason for the ignore (see this crate for the "event loop" of `ghostflow-director` itself: https://gitlab.kitware.com/utils/rust-json-job-dispatch) - the forge is the source of truth; if a ref is force-pushed, `ghostflow` will accept the state on the forge as gospel instead; the only non-logging/historical tracking state off-forge includes: - the config file - formatter installation (formatting is designed to only use trusted binaries; nothing from the repo itself other than which to use) On the first two points, we had some data loss on our instance once and using the webhook history and stored refs, I was able to restore code pushed to projects and "replay" comments that happened since the last backup (I copied the content and @mentioned the original author). > At the moment though the only thing people seem to agree on is that > any system will be based on git. So the plan for now is to first setup > a larger git(olite) system so that every contributor (also those who > don't currently have commit access) can easily "post" their git > repo. This can then hopefully integrate with the systems we already > have setup (triggering builder CI, flag/match with patchwork/emails, > etc.) or any future "pull request" like system. As a fellow FOSS maintainer I definitely appreciate the benefit of being email-based (`mutt` is far better at wrangling notifications from umpteen places than…well basically any website is at even their own), but as a *contributor* it is utterly opaque. It's not always clear if my patch has been seen, if it is waiting on maintainer time, or for me to do something. After one review, what is the courtesy time before pushing a new patchset to avoid a review "crossing in the night" as I push more patches? Did I get everyone that commented on the patch the first time in the Cc list properly? Is a discussion considered resolved (FWIW, Github is annoying with its conversation resolution behavior IMO; GitLab's explicit closing is much better). Has it been merged? To the right place? And that's for patches I author; figuring out the status of patches I'm interested in but not the author of is even harder. A forge surfaces a lot of this information pretty well and, to me, GitLab at least offers usable enough email messages (e.g., discussions on threads will thread in email too) that the public tracking of such things is far more useful on the whole. --Ben