On Tue, Jul 21, 2015 at 5:42 PM, Jeroen De Dauw jeroendedauw@gmail.com wrote:
Hey Bryan,
What exactly justifies such an authoritarian "need to go though some permission process" setup? Exactly what problems are we currently seeing? I'm very sceptical about such an approach. Sure you can say things such as that I'd be nice for other people to have access. The reality is that most people don't care about most extensions and that a lot of them end up being unmaintained and very low quality to begin with. Telling volunteers they should go follow a process they do not want to follow and that they should use a code hosting service they do not want to use has its down sides. This was also not done in the past. You did not need approval to create a "certified MediaWiki extension" or something like that.
As of https://github.com/composer/packagist/issues/163#issuecomment-99673878 Packagist itself has created this restriction of vendor namespaces actually indicating some level of ownership. A vendor is a supplier of a good or service. Publishing something as mediawiki/* is explicitly claiming affiliation with the MediaWiki open source project. As such it seems not unreasonable to ensue that projects claiming to be supplied by the MediaWiki community actually are indeed serviceable by that community. Note that there is no form of restriction for publishing a package that provides a MediaWiki extension or other related functionality under another namespace.
I would certainly welcome an RfC discussion of the current policy and a potential replacement. From my point of view, use of the MediaWiki brand implies endorsement by the MediaWiki community and thus should only be easily available to projects that are able to be contributed to and managed by that community. If for example a serious security flaw was found in a mediawiki/foo package on Packagist the community should be empowered to fix it.
Bryan