[development] sandbox, project nodes, release nodes, and drupal.org's contrib CVS repo

Derek Wright drupal at dwwright.net
Mon Dec 18 02:07:37 UTC 2006

wow, go offline for a few days and behold the mayhem that can break  
out on this list. ;)

personally, i wasn't in favor of disabling the sandbox in the first  
place, and am happy to see the change reverted.

that said, after reading all the related threads, i've noticed a few  
important misconceptions about how project nodes, release nodes, and  
our CVS repository interact with each other.  i'll grant that all of  
this has been in flux (hopefully for the better) for the last year,  
but i think it's essential to clear these up as this discussion of  
the sandboxes evolves:

- you do *not* need a project node before you can add a directory to  
the contributions/modules or themes directories.  in fact, it's the  
other way around... the directory must exist in CVS before you can  
add the project node that points to it.

- you *must* have a valid CVS account before you can add a project node.

- before, project nodes were unpublished until there was a tarball  
generated for that project.  this was (IMHO) a hack to get around the  
problem that we didn't want to maintain both a list of users with CVS  
accounts and a corresponding drupal role.  so, anyone with an account  
on d.o used to be able to create a project node for something, but  
only once their CVS account was approved, and they committed code,  
and the packaging script ran, was a tarball generated and their  
project node published.  now, only people w/ CVS accounts can make  
the project nodes, so they get published right away, and the  
existence or not of a release associated with the project has no  
bearing on if the project node is published, (and therefore, if the  
issue queue works, etc).

- you *need* to have a valid *release* node for a project for it to  
appear in the project browsing pages (the "Downloads" tab on d.o,  
a.k.a http://drupal.org/project/Modules etc).  those pages basically  
say "show me all the projects that have a release that matches the  
version i'm looking for".  no release means you don't show up there.

- our CVS access control (the "CVS access" tab on projects) only  
kicks in once there's an actual project node for a given directory in  
the repository.

- creating a DRUPAL-4-7 branch for your project no longer  
automatically creates releases for it.  so, you can even branch/merge  
your code before it's ever got releases (and therefore, visibility in  
the project browsing pages).

here's an imaginary story for how all of this works together to give  
us some better alternatives than the sandbox for code in various  
states of not-yet-ready-for-end-users:

a few folks want to collaborate on a new contrib module.  no one is  
sure if it'll work, or who's going to maintain it, but they want to  
start hacking now.  they add it as a new directory in contributions/ 
modules but DO NOT create a project node yet.  anyone w/ a CVS  
account can collaborate in there, but it's basically invisible to end  
users[1].  later, they decide they want to start using an issue queue  
to coordinate bug fixes/features/tasks, so they create the project  
node and enable the issue tracker, but they still don't make any  
release nodes.  the project is still basically invisible to end users  
on d.o since it's not in the usual project browsing pages.  end users  
would only find it if they happened to search for the right term, or  
stumbled upon the project by noticing it in the enormous dropdown box  
when selecting a project when adding another issue or something.   
and, assuming our imaginary team of drupal ninjas were being  
responsible, the description on the project node (and the README.txt  
in CVS) would be full of bold, flashing warnings that "THIS CODE IS  
ALPHA -- BEWARE".  but, people-in-the-know would now have a) an issue  
tracker, b) CVS access tab, c) all the cool CVS integration project +  
cvs.module provide (the "Developers" page, commit messages, etc).

perhaps the story ends there, they give up, move on/abandon the  
project, whatever.  maybe someone else comes along 9 months later and  
wants to pick up the torch again (and the infra team just hands over  
ownership of the project node to the new victim).

instead, maybe their experiment works and they want to release their  
code.  they just have to start adding tags and release nodes and  
poof, the project now shows up on the end-user-visible project  
browsing pages.

so, while i'm happy to see the sandbox remain for cases where that's  
useful, i'd like to offer the above scenario as a good alternative  
for "pre-alpha" modules or themes.  i think it's better because:

a) it's more structured
b) you can use an issue queue
c) if it ever goes "live", early development issues are still there  
for reference, CVS commit messages (and therefore "cvs blame") can  
point to issue nids, etc.
d) you can use the CVS access tab to ensure only the people you mean  
to be are hacking on your code
e) you get a project node to use for description, news, etc.
f) you can classify the module as appropriate so people looking at  
the project node don't just know it's a module, but what kind of  
module it is
g) it forces you to pick a name for your thing, which will help  
prevent you from *exact* duplication of another existing project with  
the same name

-derek (dww)

[1] people who just do "cvs checkout contributions/modules" and then  
complain about how much crap is in there don't count in my book. ;)   
if you're getting drupal source directly via CVS you're already over  
a fairly high bar and i don't consider you the target audience we  
need to protect from yourselves.  it's clear that we already have no  
guarantee of quality for what's in there now (even projects with  
releases), so the idea that "it's in contributions/modules, it must  
*sort* of work" is inherently flawed.  if there are official releases  
(not dev snapshots) with clear, useful release notes, you can  
probably assume it works (even then, review it yourself or pay  
someone on the security team to audit it for you before you really  
trust it).  if not, you're on your own...

More information about the development mailing list