Contrib.social

Phase out sandbox projects

Open on Drupal.org β†’
Created on 19 March 2021, about 4 years ago
Updated 24 January 2024, over 1 year ago

Problem/Motivation

Drupal.org users are now able to create Full Projects without going through the extra step of securing the 'git vetted' role. Vetting git users/opting in to security team coverage is now decoupled from the type of project someone is using.

Proposed resolution

We should plan to phase out the sandbox project type entirely.

Remaining tasks

  • The 'General' project type already does not support sandbox projects.
  • We should disable the creation of new sandbox projects.
  • We will need to decide what to do with the existing sandbox projects.
  • Document how to experiment with Drupal's Gitlab integration, to get familiar with using it on Creating a new project > Sandbox projects β†’ .
🌱 Plan
Status

Active

Version

3.0

Component

Code

Created by

πŸ‡ΊπŸ‡ΈUnited States hestenet Portland, OR πŸ‡ΊπŸ‡Έ

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • Comment over 1 year ago β†’
    πŸ‡©πŸ‡°Denmark ressa Copenhagen

    Since Sandboxes are not recommended, what is the recommended way of experimenting with Drupal's Gitlab integration, to get familiar with using it? For new users, having to experiment and possibly fail on live issues is less than ideal ...

    It would be nice to clarify this after this sentence, on the Creating a new project > Sandbox projects β†’ documentation page:

    The switch to using GitLab, and the fact that anyone can now create a "full" project without requiring the extra step of obtaining the git vetted user role makes the use of sandboxes obsolete.

    Maybe add something like this? (Assuming that this is correct, if not let's find a proper wording for a recommendation)

    If you need to experiment with Drupal's Gitlab integration, for example doing Gitlab Merge Requests, you can create a new test project via https://git.drupalcode.org/users/*username*/projects (replace *username* with your user name). You can delete it, when you are finished with your experiments.

    It would be great to include a clarification on this in the Issue Summary here, and add it to the Sandbox documentation page, possibly creating a new page. Or maybe such a page already exists?

  • Comment 14 days ago β†’
    πŸ‡ΊπŸ‡ΈUnited States darren oh Lakeland, Florida

    I propose we reconsider deprecating sandbox projects in light of the use of AI to abuse the system.

    • Non-vetted contributors should only be allowed to create sandbox projects.
    • A sandbox project should only be promoted to a full project by a vetted contributor.
    • A contributor who creates a release without reviewing it should be given a warning.
    • A contributor who creates a release without reviewing it after being warned should lose vetted status for a year.

    See πŸ“Œ Bulk LLM-generated module publishing by bigbabert Active for an example of a contributor using AI to abuse the system multiple times.

  • Comment 6 days ago β†’
    πŸ‡ΊπŸ‡ΈUnited States cmlara

    Re: #20 I believe that would need a large D.A. policy discussion first, separate from this issue.

    Though I will warn I would suggest the D.A. refuse to accept such a policy. The Drupal Community lost uncountable hours of possible contributions in the old system. The long term problem of "unable to find maintainers' can likely track some of situation back to those early policies.

  • Comment 6 days ago β†’
    πŸ‡ΊπŸ‡ΈUnited States darren oh Lakeland, Florida

    I remember the vetting process. I would not want to bring the previous vetting process back. I think an open vetting process would prevent a backlog from forming. The important thing is for vetted status to be revokable.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024