Feedback Requested: Migrating Critical Chocolatey Packages To Chocolatey Community?

[pauby]

I have a proposal that I wanted to discuss with the Community here to find the best way to approach migrating critical Chocolatey packages to this repository.

Chocolatey CLI requires specific packages for it's package sources such asruby, python and webpi. There are also packages that are required for Chocolatey CLI features such as intunewinappyutil. And packages required for Chocolatey products such as nexus and jenkins. Different maintainers are responsible for these packages.

To ensure Chocolatey has a secure, trusted and well-defined package management process, we have had some discussions internally and wanted to understand what the Community thought of:

• Migrating the packages discussed above to this repository.
• The use of the CODEOWNERS file ensures that the maintainers best placed to review package changes can do so, providing a trusted and secure process for those critical packages.
• Use the automation that already exists in this repository to ensure packages are up-to-date.

I see the benefits to the Community as

• Members of the Chocolatey Team would be available to help with management of the repository.
• Increased number of package maintainers, able to work on packages and review / merge PR's.
• The migrated packages would be open-source in this repository, allowing others to get involved in helping to resolve problems and add new features

The two important things that I wanted to ensure from this is:

• A secure, trusted and well-defined process for managing critical Chocolatey packages.
• Increase in the number of Community maintainers working in this repository.

I believe this will provide both of those, and I hope that it will encourage other new and experienced maintainers to become involved too. I would really like to see this repository thrive, and I feel this is a good step on that path.

Please let me know your thoughts.

[pascalberger]

Makes sense to me 👍

[TheCakeIsNaOH]

Migrating the packages discussed above to this repository.

Yes, that sounds great.

The use of the CODEOWNERS file ensures that the maintainers best placed to review package changes can do so, providing a trusted and secure process for those critical packages.

As far as I am aware, for CODEOWNERS to work, the users/teams listed in it have to have write access to the repository. So, are more people going to be added to this repository?

A secure, trusted and well-defined process for managing critical Chocolatey packages.

Yes, this is important security wise.

Increase in the number of Community maintainers working in this repository.

As far as I'm aware, most of the packages you mentioned are already maintained by members of the Chocolatey Team or via someone already involved in this repository. So I'm not quite sure how this is intended to increase the number of Community maintainers in this repository?

[pauby]

As far as I am aware, for CODEOWNERS to work, the users/teams listed in it have to have write access to the repository.

I'll leave that for @AdmiringWorm to answer.

As far as I'm aware, most of the packages you mentioned are already maintained by members of the Chocolatey Team or via someone already involved in this repository. So I'm not quite sure how this is intended to increase the number of Community maintainers in this repository?

The Chocolatey Team are, on the whole, not involved in this repository. Having those packages managed by the team means they will be more involved in the repository, and by extension I'd hope more involved with other packages in this repository. I've spoken to the team about the intentions around this. More activity would hopefully bring in other maintainers. I also have a plan to reach out to people to help with that.

EDIT: Clarified that I'd spoken to the team out the intentions.

[TheCakeIsNaOH]

More activity would hopefully bring in other maintainers. I also have a plan to reach out to people to help with that.

Ok, that makes sense. 👍

[AdmiringWorm]

As far as I am aware, for CODEOWNERS to work, the users/teams listed in it have to have write access to the repository.

You are correct, unfortunately CODEOWNERS will only automatically handle requesting reviews automatically, so currently it will be a process for those that review the pull requests to scan through the file and reference those listed for the package for a review.
I hope to eventually handle this automatically through a GitHub action, but haven't gotten that far yet.

EDIT: There are no plans AFAIK to add more people with write permissions, at least not yet.

[pauby]

Thanks @TheCakeIsNaOH and @pascalberger for your input. As there haven't been any objections to this, I'll move forward in getting the packages migrated.

[AdmiringWorm]

I created an issue based on this discussion for us to target with the packages that will be migrated/created here: #1904

[AdmiringWorm]

The packages mentioned in this discussion have all been migrated to this repository. As such, I will be closing this discussion now.