Add configuration for issue mover bot

[marek-safar]

More details at https://github.com/dessant/move-issues

[ghost]

Tagging subscribers to this area: @maryamariyan
See info in area-owners.md if you want to be subscribed.

[ghost]

Tagging subscribers to this area: @ViktorHofer
See info in area-owners.md if you want to be subscribed.

[jkotas]

Is the plan to have the move issues app installed for dotnet org?

cc @terrajobst

[marek-safar]

The bot is already installed

[ViktorHofer]

What's the benefit of this bot over the GH feature?

[marek-safar]

It can move issues to different organization

[ViktorHofer]

How does the permission system work with that? Doesn't the bot need permissions in the different org? Is this about dotnet <--> mono?

[marek-safar]

How does the permission system work with that? Doesn't the bot need permissions in the different org?

https://github.com/dessant/move-issues#usage

Is this about dotnet <--> mono?

Yes but it can be used with others too

[ViktorHofer]

Yes but it can be used with others too

Nice, we have the same issue with Nuget which has its own org.

[terrajobst]

@jkotas

We use https://hubbup.io/

It would be good if would all use the same app for that.

[jkotas]

I agree that it would be good to standardize on a single app. Are there any signifiant advantages unique to either of these apps?

If not, I would propose to revert this PR and use https://hubbup.io/ since it is run on more trustworthy account.

[marek-safar]

We use hubbup.io

Using hubbup.io requires you to remember the URL and do a lot of clicking and copy-pasting whereas with the bot it's two words comment on the issue.

[terrajobst]

hubbup.io is made by @Eilon, so he can comment on this.

[Eilon]

Yes I made and maintain hubbup.io. Having a bot is obviously nice because you can stay within GitHub. But with 3rd party bots you have to 100% trust the bot, the bot's code, the author of the code, the maintainer of the code, and the maintainers of every bit of source that went into the bot (e.g. other 3rd party libs).

It's certainly not my call, but using 3rd party bots can carry much risk because at least usually they require a lot of permissions to do their work. I'm not sure what this bot needs but if it needs "a lot" of permissions then you need to be extra careful.

[marek-safar]

But with 3rd party bots you have to 100% trust the bot, the bot's code, the author of the code, the maintainer of the code, and the maintainers of every bit of source that went into the bot (e.g. other 3rd party libs).

Come on, this is open-sourced bot in 500 lines of JavaScript code and all permissions the bot need are just few

• Read access to files located at .github/move.yml
• Read access to members and metadata
• Read and write access to issues

[terrajobst]

I think @Eilon's comment were generic. And yes, trusting apps is a big deal which is why we generally don't just allow anyone to install them and instead go through an approval step. Mover is approved in the dotnet org (not sure about the others) so you an use it already. Personally, I dislike that that repos must opt in by adding this file. I prefer Eilon's app because it works for all repos I have permissions to.

[Eilon]

@marek-safar indeed my comments were generic because I didn't know what permissions the bot requires. The bots often work by grabbing a token on your behalf and then doing arbitrary work with it, which you have to trust. There have been major incidents before where a "random" 3rd party component in the chain of dependencies was compromised and then everything downstream was compromised. Think of a scenario like NPM's left-pad and if it were compromised. Nearly every Node app in the world would potentially be compromised, including everyone using those apps. It's not a trivial matter of 500 lines of code, it's the 500,000 lines of code that are potentially used in the app.

Either way, not my call here, just adding info.