Right now we're using a combination of environment variables and magiconf for app configuration. Environment variables are very nice if you're running on something like Heroku, but it feels like the combination of these two methods causes more complexity than is needed.

I've been using rails_config on some projects recently and it's been near-perfect. Here's why:

• Set your defaults in config/settings.yml. This file is checked in and always present, so Settings.some.deep.thing.defined.there will never blow up with a nillybopper and you can just have people run the app in dev mode without having to do any initial configuration.
• If you want to override something locally, just create a (.gitignored) config/settings.local.yml and it gets merged with the other settings.
• When you deploy you can pretty much just do file "#{release_path}/config/settings/production.yml" { content data_bag_item('myapp').to_yaml } (or node['myapp].to_yaml if using attributes instead of data bags) and you're done.
• When you're testing you can just do Settings.stub_chain(:some, :deep, :thing).and_return('something').

I don't have a PR implementing this but would strongly recommend using it.

People care about their number 😄

Also make sure the slug corresponds to the signature number, not the rails ID.

This way we can access it when viewing a cookbook or cookbook version.

These are somethings we'll need to flush out in order to most effectively build out the CLA signing process.

1. Is there a need to view a CLA once it's been signed? What does that look like?
2. Currently there can be multiple versions of a ICLA/CCLA that is tied to a signature. Do we want to support that?
3. From the CCLA contributors view, what happens when you click on an organization?
4. Related to the previous item does an organization serve any other purpose in the app other than collecting required information for a CCLA signature to be valid?
5. If the user updates their CLA contact information is their signature still valid? Or do they need to "resign"?

Here's what I was thinking for the UI/design:

A couple things to point out:

1. The header is cargo-culted from the existing community site. We can deal with that in a separate issue.
2. The links on the left are probably to static (or semi-static) pages with helpful information that currently exists on the wiki.
3. The font is the "official" Opscode Gotham font.
4. The GitHub/JIRA/whatever fields below the line will be optional (for now)

Here's the raw AI file if you have Illustrator and want to make some suggestions/improvements: http://cl.ly/2L0W0M1w1B0k

/cc @jamesc @cnunciato @smith @nathenharvey any feedback?

Moving this spirited discussion into a GH issue since it is a more appropriate format for having an ongoing, detailed discussion.

We've gotten a lot of feedback from the community thus far that categories are not very useful for helping drill down to find meaningful cookbooks. A tag system is nice, but it goes too far in the other direction and you end up with a bunch of duplicate tags or not useful tags as cookbook meta data.

@sethvargo specifically brought up the downsides of using categories and how some cookbooks that get thrown into the "other" category could get lost in the nebulous. I've had lots of internal conflict around this because we want to provide structure for organization, but it can't be so rigid that things get put in categories that are not reflective of what they actually are designed for. Conversely, a tagging system feels too open and structureless.

Outcomes of this discussion:

1. What value does adding structure to cookbook searching through categories or tags really provide?
2. When would it be used and when it not be used?
3. How we can get the right level of structure in place such that it's a more natural organization based on tangible data points within the cookbook itself without being too rigid or too loosely defined?

• Recently Updated (HTML)
• Recently Updated (RSS)
• Recently Added (HTML)
• Recently Added (RSS)
• Most Downloaded
• Most Followers

We need to update the CCLA / ICLA copy to match the latest revision. Need to grab the latest document from Jen.

Ping @nathenharvey (hoping to keep things on here since more people have github accounts than are on the new ML, please let me know if you would rather move it).

Okay, so what do I mean by namespacing? The short version is separating the name of the cookbook from the name of its record on the community site (nee. package server). Right now we enforce that these two things must be the same, which presents a serious barrier to entry with sharing cookbooks when combined with the (IMO correct) cultural standard of naming cookbooks in specific ways. How this separation is done could be completely isolated which is how Rubygems and PyPI do it (the name of the gem/distro has nothing do with the name of the thing you require/import), or more structured as in the case of Github. I prefer the Github way of prepending the username to the cookbook name to come up with the final identifier, but either could work.

Why do I think this is such a big deal? Lets say you need a cookbook to deploy mysql. You elect not to use the ChefInc one, so instead you write your own, but name it mysql anyway because that's the convention. You later go to release this publicly but find the name already taken and so have to choose between not releasing it or changing the cookbook name. Unfortunately because the cookbook name is used all over (roles, envs, other cookbooks, etc) this usually forces people down the path of not releasing things when the names conflict.

Why do I think this needs to be handled Now™? Because it will change all the unique identifiers everywhere, in the DB, UI, API, URLs, etc. They will probably all be longer which has ramifications for the UI, and changing them at all matters for the URLs and API. Handling this as part of the oldcommunity->supermarket transition means only one period of omgscary changes instead of two.

Hello everyone! In the spirit of collaboration, we'd like to open up review and critique of our work to-date on the redesigned cookbooks UI to the community. Please have a run-through of the wireframes at each of the links below and provide any feedback you have as comments in Invision.

Desktop Cookbooks Wireframes - http://invis.io/3KPCMO65

To leave a comment, press "c" or click on "Comments" in the bottom right of the window. To navigate through the screens:

• Click “Applications” under "Categories" to view a category page.
• Click on any “nodejs” to view a cookbook detail page.
• On the cookbook detail page, you can click between the readme and dependencies tabs.
• On any page you can click Cookbooks in the top nav to return to the main Cookbooks page.

Mobile Cookbooks Wireframes - http://invis.io/5MPCMNYB

To leave a comment, press "c" or click on "Comments" in the bottom right of the window. To navigate through the screens:

• Click on Supermarket logo anytime to return to the main cookbooks page.
• Click on “Applications” category to view a category page.
• Click anytime on “nodejs” to view a cookbook detail page.
• On the cookbook detail page, you can click through the details, readme and dependencies tabs.

Thank you!

The API should allow cookbook owners to delete a cookbook

Archlinux (teh best linux ;) has a community repository for user packages. Its very similar in concept to the Chef Community site. Here's an example for a piece of software we're all used before.

So, take a look at those features

• description
• upstream url
• category
• license
• original submitter
• current maintainer
• votes
• creation time
• modification time
• complete list of external dependencies
• a list to show which external packages require this package
• original sources url

Pretty much everything you need to know about a package.

Additionally as a non-authenticated user, you can:

• download a tarball of the raw package
• view the raw metadata

If you authenticate, you get more available actions:

• flag package as out of date
• vote for package
• subscribe to new comments

Take a look at the User Guidelines, and the Trusted User Guidelines. The difference between the two is that trusted users get more privilege in the community and have the ability to move things around.

The 'flag package as out of date' is the important thing here. A user may stop maintaining a package for any number of reasons. We don't want that package to name-squat and force users to fork and resubmit under a new name. So, users can flag the package as out of date. The maintainer of the package is notified and if after some time does not take action you can then mail a list and get TU's to take action.

So, now that I've duplicated some amount of the AUR docs, I urge you to go read them. I think it could work out as a great model for the new community site. The AUR docs are available under the GNU FDL.

🙈 🙉 🙊

A segment.io key isn't being set but the segment.io partial is still being included in application.html.erb on staging breaking JS execution on the entire app.

Migrated from: https://projects.invisionapp.com/share/VMOMTJ36#/screens/16758975/comments/10359085

Is there interest/benefit in having cookbooks recommendations based off of the currently-view cookbook (like Amazon or Google recommendations).

Put something in the README about where the work being done is being tracked. GitHub Issues? LeanKit? Pivotal? HuBoard? Trello? I have no idea right now.

For now, we won't implement support for any of the pagination query parameters, and will simply render a response corresponding to an empty list:

GET /v1/cookbooks

{ "items": [], "start": 0, "total": 0 }

This causes problems down the pipe, e.g. https://app.getsentry.com/chef/supermarket/group/15145003/

We should use find_by! unless 404ing is not desired when an invitation token goes stale (also: when would a token go stale?)

A cookbook maintainer can add and remove collaborators from a cookbook.

The new community site should expose an API endpoint that lists all uploaded cookbooks and their dependencies. We should use an API format (JSON) that corresponds to the Berkshelf API. This must be a single-page JSON file (no pagination).

Benefits

1. Running the Supermarket internally doubles as a Berkshelf source endpoint (no need for a Berkshelf API server)
2. Allows dependency solvers (like depsolver, solve, librarian, etc) to have a single authoritative source

Drawbacks

1. Expensive operation for large numbers of cookbooks
2. Need to implement a caching layer
3. Need background jobs for processing

Considerations

1. Security - when running the cookbook site internally, should all users be able to see all cookbooks?
2. Delay - what is an appropriate amount of time until the cache is valid (since it will not be immediately)?

Curry checks that committers in a GitHub Pull Request have signed Chef's CLA in Super Market.

Pull Requests that relate to this:

• #84

Intro

The general goal of curry is to verify that committer(s) opening a pull request in a Chef Inc. repo have signed a CLA. If they have signed a CLA, Super Market will leave a comment letting Chef Inc. know that the user has signed a CLA. If they have not, Super Market will leave a comment letting Chef Inc. and the committer(s) know they have not signed a CLA, while instructing the committer(s) to sign a CLA. When the Pull Request is opened, a ticket is opened in the ticket tracking system being used (in Chef's case, JIRA).

Major parts of Curry include:

• Ability for Chef Admins to specify the repositories (and projects in corresponding ticket tracking system) that notify Super Market when a Pull Request was opened and updated. This let's GitHub know what repositories it should be the hub for when sending POSTs to Super Market via PubSubHubbub.
• Handling POSTs to the Super Market API end point from GitHub when a Pull Request is opened and updated.
• Commenting on Pull Requests based upon the committer(s) CLA verification status.
• Opening a ticket in the ticket tracking system with the information surrounding the Pull Request.
• If committer(s) had not signed a CLA when the Pull Request was opened but sign a CLA, Super Market will leave another comment in the Pull Request letting Chef Inc. know that a committer has signed a CLA (and what committers still need to sign a CLA).

Flow diagram of the process.

Information

• GitHub has some awesome docs on using hooks with JSON or PubSubHubbub.

Implementation Details

• Super Market will subscribe to a GitHub repository Hub to receive POST requests at Super Market API end point when a Pull Request is created or updated in the GitHub repository. This will be using the PubSubHubbub protocol (Hubbub for short).
• There will be an interface for managing what GitHub repositories Super Market is subscribed to.
• Interfacing with JIRA (the current issue tracker) with the Jira Ruby gem to open issues when a Pull Request is opened on a subscribed repository.
• Leaving comments on subscribed GitHub repositories with the Octokit.rb gem.
• Use Sidekiq to process background jobs.

Approach

1. Spec out and develop interface for managing GitHub repository subscriptions.
2. Create API endpoint to receive Hubbub updates from the GitHub repository.
3. Handle checking committers in the Pull Request to see if they have signed a CLA.
4. Use Octokit to leave a comment on the Pull Request based upon their CLA signing status.
5. Handle when committers have not signed a CLA but then sign a CLA.
6. Use the JIRA Ruby gem to open an issue in the corresponding project.

Comments from the original Gist

@gabeweaver said:

One thing I think we should discuss with Chef:

Given that they are moving towards using LeanKit internally, it seems like JIRA is just an added layer of complexity in managing and tracking work to be done. I'm assuming Chef will be using the "Portfolio" version on LeanKit. If that's the case, then they support a really nice GitHub integration:

"Automatically add cards to designated boards as GitHub issues are created. Once cards reach the final lane or get archived, the GitHub issues are marked resolved. Configure destination boards/lanes, source item to destination card types and priorities mapping."

And since PRs also create GitHub issues, it seems like a Win/Win for reducing complexity and simplifying the workflow, not to mention reducing the barrier to entry and things for contributors to track.

@sethvargo said:

Can we use the commit status API instead? I think a comment is intrusive.

&&

Also, we probably want a batch job that goes through existing PRs and "rechecks" the status. Maybe that's a v2 though

@smith said:

I'm with @sethvargo on using the commit status API. Are there any reasons why we wouldn't do that and use comments instead?

As for checking existing PRs, the ideal solution might be that when a somebody signs a CLA, see if there are any open PRs that Curry has previously seen as unresolved by that user and go put a new message on them. Agreed that that's probably a v2 feature that has lots of unanswered questions.

IMO it might be preferable to leave JIRA completely out of this release, since there might be a lot of complexity around the avoidance of opening duplicate issues. All of the linking we now do between JIRA and GitHub is now manual, and it may have to stay that way for a while.

The LeanKit/GitHub integration sounds really cool, but lets learn how to make a board and use LeanKit before we get there.

Overall this all looks sound, and it a huge improvement over having a human do it.

@gabeweaver @sethvargo @smith I have moved the content and comments from the original Gist to here. I think GitHub Issues are a better place to document discussion because we will get notified of comments, they are tied to the repository and and the discussions should be easier to find.

The README is getting a bit long, and I think it would make sense to create a document specifically for configuring the application locally. This would explain in depth what needs to be configured, how to configure it and why it is there.

This file should be linked to from within the README.

curl doesn't follow redirects by default, so using them for downloads can be problematic. It might be nicer to have them link directly, and pull download counts by parsing the S3 access logs.

• Implement basic UI around name and installation
• Display the README
• Make Download link work
• Show released versions and their related info*
• Show download stats for all versions and latest version
• Show updated/created timestamps
• Display the cookbook maintainer
• Link to the source if it exists
• Display the cookbook's platforms
• Display the cookbook's license
• Determine if having multiple READMEs in different formats is prevalent among existing cookbooks (some code in the old community site suggests it could be).

This is issue is closes #188 and #187.

*Note from @danvolkens when clicking a specific cookbook version on the cookbook show: output the download count, last updated at, and a link to download version

The mock-up for this view: https://projects.invisionapp.com/share/DGP7AUT4#/screens/17695290?maintainScrollPosition=false/preview

Pull request for this issue: #202

A cookbook owner should be able to transfer ownership to another user.

A few remaining issues to cleanup, and leaving them here since PR comments can get lost to the ether:

• Create an 'apps' data bag with a 'supermarket' item. Load this up in the _applicaiton recipe. Possibly create a helper method that adds it to the node's run state to pass around between recipes.
• Set the deploy directory to /srv/supermarket instead of /var/www/supermarket.
• Set the supermarket user's home directory to /srv/supermarket.
• Render the sidekiq.yml as a file resource with content node['sidekiq'].to_hash.to_yaml. We may want to namespace the config attribute separate (node['sidekiq']['config']).

Users should be able to download a tarball of a cookbook from the community site. We should also track download statistics when downloads are performed via either Knife or through the community site API.

In order to make sure we're not breaking knife from a user level an acceptance test suite should be created separtely from Supermarket to facilitate this.

Currently users authenticate and register with their email and password. We want to transition this to OAuth2 with oc-id (Chef ID) as the provider. This will make the account management process quite a bit easier and remove any of the nastiness that the current community site does.

• Change auth process to OAuth instead of email and password
• Explore using devise-omniauthable or omniauth for auth
• Make oc-id the OAuth2 provider

https://app.getsentry.com/chef/supermarket/group/15082972/

@bcobb, @tristanoneil and I had a lil' hang out to figure out what we want to get out of the meeting tomorrow where we are talking about auth and data migration. Here is that list:

• how does authentication currently work?
• how are the pem keys handled and what role do they play?
• how should authentication work?
• what impact does supermarket have on chef server? @nathenharvey mentioned that current community site is legacy and chef server depends on it.
• can we get a schema dump of the current site? getting it running locally is painful. - @bcobb
• what data is getting migrated? pem keys? cookbooks? users? users following a cookbook?
• where do the current cookbook files live? where should live with supermarket? do we want to move them or are they staying in the same place?
• do we have to stick with mixlib for authentication? is it 👌 or is there a better solution?
• what constitutes a valid cookbook? is it just a valid metadata.rb or does it have to actually do something? - @tristanoneil
• what role does JIRA currently play within cla signing? - @brettchalupa
• how are we going to handle missing cla signatures during the migration if that occurs? - @brettchalupa

Feel free to answer questions here if you can or add additional ones. This is more or less a place where we can reference this list and log any notes.

As @bcobb said:

We want the transition from the existing community site to supermarket to be as seamless from the end-user's perspective as possible. That is, it should appear to the user that the site has merely been redesigned; it is an implementation detail that it has been rebuilt from the ground-up. The biggest unknown to this end is authentication. We'd like to understand how the existing community site fits into the larger Chef authentication picture, and we'd like to discuss strategies for getting Supermarket to perform that same role. We'd also like to discuss general strategies for migrating all of the existing community site's data from MySQL to Postgres. Finally, we've been crunching CLA CSVs and want to discuss next steps.

Users can search for a cookbook by meta data (Name, Owner, Description, Platforms, Category) from a single, “smart” text field so that I can find a specific cookbook in Supermarket

This section should be able to render GHFMD so we can easily update the content as we go. Ideally there would be an overview section that has basic text content, then we'll also want to support adding weekly updates in a similar fashion to adding a blog post. This will replace delivering weekly updates via email and include the broader community in our weekly progress. For now, this will be limited to the Supermarket project. We'll need to:

• Design up the view(s) (Dan)
• Do the backend work necessary to support the views
• Add the content (Gabe)

There is a rough start on the content here

Trello Card