Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
GitLab / Source Code Group / 2 Aug 2023
GitLab / Source Code Group / 2 Aug 2023
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: Create:SCM - Group level merge rules next steps

Description

Derek (PM) and Michael (UX) discuss what to do with next steps for group-level rules and cascading of settings.

https://gitlab.com/groups/gitlab-org/-/epics/4367

A

Maybe, all right uh so um wanted to have this chat with you about what we're gonna do with group level, merge rules and ultimately Branch rules um at their project level and what direction we went ahead in um yeah. So recently we we inherit or like the group level, merge rules. So that's like approval rules at the group level, and that was something that was in the compliance group. But now that's moved over to our group um and that's that's.

B

Cool because.

A

We were looking at how Branch rules made really at the group level as well, so I feel, like that's, that's a natural kind of spot for this feature, but I think there's a lot of um eyes and customers wanting to see that happen and like the group of modules and yeah I want to see it happen as well and yeah I guess this chat here is probably just a sink call between you and I. Just to see you know where. Where do we want to take this and I? You know.

A

Where do we see this happening, whether it's the next Milestone or a few Milestones from now so I'd love to hear your thoughts about the situation and what you feel like we should head to next, because I have my own opinions and I just want to see if you know a line or if you want to hear my opinions. First, that's cool too.

B

um No I can tell you what my opinion is: I mean I, I wasn't technically still am the PM for compliance, and- and this is something that I got asked about all the time.

B

um So you know between that and looking at the issues that are out there and how many customer comments they have and upvotes I think it's something that we we need to work on uh sooner rather than later. I think that it's something that would add a lot of value for our customers. So in my opinion it should be a pretty high priority for the source code team and that's uh and I I, don't know all the details and all the you know, uh issues around What will what it'll take to implement it.

B

But uh it's I think that it should be a high priority. Yeah cool.

A

um Yeah, so from my perspective, looking at this problem for from the group to the project level, I probably have less time spending looking at the problem. um I know that I contributed to the idea of you know. If a settings are configured at the group level, then we'll show like a lock icon and then display information around why it's locked at that level.

A

um A few months has passed since that initial kind of concept, I just threw out there and, like we've, been running with that I feel like to tackle this properly.

A

um We need to handle two things: it's that cascading. We need to make a decision about whether this applies to future only or current and future, and my opinion is that it applies to current and future, and the big question would be like. Oh what about projects that um that don't need to follow the rules. You.

B

Know, there's.

A

Always going to be exceptions in an organization, especially if you're thinking about group level I feel why this situation is actually good. Is that to solve this I think we need to do both the.

B

Locking.

A

Or like a read-only view of the settings, if it's set from a group level but also provide a pathway for providing exceptions, so we can provide exceptions by saying whether we do a project only or subgroups and projects that is uh like, ideally, subgroups and projects.

A

um But you know if we need to start small and just select individual projects, so be it, but I feel like this kind of Paradigm, of providing exceptions also aligns with some of the work that's being done at the security policy level, where they have um different rules that you can provide exceptions for so this idea of exceptions is something that's happening at the security policy level, but it doesn't really exist right now in the world of settings. You know all we have is like include this four branches and I.

A

Think as we extend this out to the group level, um we need to provide not only include these projects. uh Maybe that's it like it's like here's this and then you deselect a project as a way to provide exclusions.

A

um So I think that's where we probably need engineering input on what's possible. What's not possible I. Think providing exceptions is probably clearer and aligns with security policies, but um that that's my thing where.

B

I.

A

Feel like yeah looking at this from a compliance level, I think they're cascading down and locking was the one perspective, but I think the fact that we couldn't answer. What do we want to do for exceptions, because that would be like crossing over into the project level settings and or like group level settings? And it's like? Oh that's, source code and I feel like that's.

A

Why I'm moving this over to source code is actually actually more advantageous because we we, as the source code group, could make those changes and I know we have short toes, but it.

B

Was like an area that.

A

You you almost it's a tricky one to find that fine line. You know where does compliance end and where does um source code begin and I think um by removing that kind of barrier. We can tackle this as that two-pronged things: uh to provide read-only cascading down and put a way to provide exceptions um and.

B

And that's how I've been approaching.

A

The problem and that's how I want to push forward with this, um maybe before I, lock everything down like, are there any like concerns or, like you know, things that we haven't accounted for or do we need to align closer to policies? Do we need to figure that out before we tackle this in, like Go full steam on this.

B

I.

B

I, don't know that we need to.

B

I, don't know that we need to align closer with policies, um because the way that I see it there are two two ways of uh well possibly three different ways of doing things, um and it depends on what what user you're trying to Target with it like what persona right so security and compliance teams, I think if the policies group added a way to.

B

Enforce the stuff, uh the settings via policies that might take care of the security and compliance teams, but source code is more interested in the developer. Experience right so adding this and adding a way to have exceptions, um especially now. I think that I don't think that we would want the project owners to be able to add their own exception for their project. We'd want to keep that at the group level where this policy or this uh these settings were set and allow ways for group owners to exempt certain projects.

B

um But if we do that, then the policies team I think that it might be better for them to align with what we're doing, because the developer, experience and and locking down these things really should come. First.

B

um The.

B

The compliance seam is a little bit of a.

B

Oddball, because these are things that you could theoretically put into like a compliance framework and selectively apply it to you different projects.

A

Which.

B

I think could be handled separately uh from the way that that you're, looking at doing the the group rules right now, because I think that we could replicate some of the settings in the compliance framework area and allow users to set those specifically for compliance Frameworks and then those would apply selectively to whatever project has the compliance framework enabled on it.

B

So yeah I think that we should probably just move forward with it. We should keep um compliance and security policies updated. It would be good to to make sure that there are that they know what we're doing um and I do want to build more collaboration in certain areas. This would be one of them, but at the same time, I don't want to slow down something that is, could deliver a lot of value for for our customers.

B

So I I'd say that we should move ahead. We should make sure that the compliance and policies teams don't have any major objections, because maybe they could point out something that we haven't thought about um and specifically I'm thinking around, like it'd, be good to have the policies product manager Grant in their but I.

B

Think having the engineering managers look at it and kind of provide their feedback uh would be really good too, because they can see they, they would be able to Think Through potential issues with the with whatever uh projects they're building right now, so I think. As long as we have a way to sync up with them, which which we do, um which I don't remember, were you ever invited to the create govern?

B

Sync.

A

The the no I wasn't invited to that, uh probably mainly because of the time zone of where things were, and then the PM of source code also kind of left around the same time that I kind of got involved so I think it's kind of got down to async, videos um and I. Think Grant has been providing some good feedback on some of the ideas that I've had so far around this stuff. So um that's where that that's at in my eyes, but yeah if you've been having other conversations yeah.

A

uh It's you learn more about that.

B

Yeah um I I, haven't had I, haven't, had much many other con conversations about that outside of either those meetings which I haven't been able to attend uh for a few weeks um or yeah I mean uh they've really yeah. There really hasn't been much conversation from that I've had so I think we're good to go.

B

um We'll keep them updated, see what you know. What comes out of it, but I think that what you have like what I've seen looks really good to me. So I don't see any reason not to continue to move forward and try to get up get the other teams on board with it and figure out ways to solve their problems, but not not um cut short. The developer experience.

A

Okay, yeah.

B

Okay sounds good and then yeah that.

A

Means for the rest of this week, I'll kind of locked down these designs and then get that kind of ready for the next milestone for at least initial planning or better discussions with the engineering team. So that's cool.

B

um I know.

A

That the security um policies team is also looking at um exceptions at the same time. So this might be a good time for us to just be a little bit more transparent and looping them in a lot more because I feel like another way to look at.

A

This is like the security policies goes up at this level and then we're providing the rails for them to like come in to provide exceptions, because at the moment there are there is, there are no exceptions and I feel like that will just come in as like a piece of code that like, if it has policy, do some extra stuff, but maybe we provide the rails for exceptions. It kind of fits a little bit better.

A

So I think the timing is very interesting, uh like very fortunate for all groups to be kind of solving this problem. At the same time, cool right makes.

B

Sense, yeah.

A

Sounds good right, then I'll move ahead and I'll update the issues over the next few days. um Yeah leave that on me.

B

Well, yeah, um and uh just so you know I'm technically doing three people's jobs right now. So, if they're, if you tag me in issue and you need me to look at it or provide a response um and I haven't, you know yet ping me in in slack, because it's possible that I just missed it with everything else that I've got coming in.

A

Sure no problem yeah, that's good uh good to know thanks recording at this time.