Permissions for package repositories

[kolaente]

Feature Description

Currently, the new package repository uses the public/private status of the organization/user the package belongs to. This works fine for most use cases until one wants to make one package private and all others not, or vice-versa. It would be nice to have additional control over the visibility of packages.

I see three possible solutions to this:

• Add a simple switch "This package is public", similar to repos and keep the current permission logic. Easy to implement, could be extended with the second solution in the future.
• Couple the package permissions to the repo a package belongs to. If its repo is private, so is the package. This would also allow re-using read/write permissions from the repo and is probably the most intuitive. However, it has two small downsides:
  • Packages without an associated repo would be public - maybe they could just use the current permission model.
  • When publishing a new package from a private repo there would be a brief period where the package is public until the repo is properly associated to it and permissions are used from that. This could be avoided by implementing the first solution first and making new packages private by default.
• Implement a separate, full-blown permission system for packages similiar to what we currently have for repos. Probably requires the most effort and requires duplicating permissions.

Personally, I like the second solution as the most intuitive or the most complete.

Similar to https://github.com/go-gitea/gitea/issues/20093#issuecomment-1200996879

[KN4CK3R]

I will add a reference to this issue in #19270 for the item Fine-granular access model.