On 17/3/19 12:48 am, Merlijn van Deen (valhallasw) wrote:
On Sat, 16 Mar 2019 at 03:01, Tim Starling
<tstarling(a)wikimedia.org> wrote:
No, managing +2 permissions is not up to the
maintainer of the tool,
that's the whole point of the change.
I feel that this policy, although well-meaning, and a step forwards for
MediaWiki and other WMF-production software, is unreasonably being applied
as a 'one-size-fits-all' solution to situations where it doesn't make sense.
Two examples where the policy does not fit the Toolforge situation:
1. According to the policy, self-+2'ing is grounds for revocation of Gerrit
privileges. For a Toolforge tool, self +2-ing is common and expected: the
repository is hosted on Gerrit to allow for CI and to make contributions
from others easier, not necessarily for the code review features.
Merging your own code without review is grounds for revocation, with
several exceptions. One of the exceptions is for code that's not
deployed to the Wikimedia cluster. A toolforge tool would fall under
that exception.
In general, if self-merging is normal policy in some repository, we
are not trying to change that here. The +2 policy section is mostly
copied from the previous policy and is meant to be descriptive of the
current situation.
2. Giving someone +2 access to a repository now needs
to pass through an
extended process with checks and balances. At the same time, I can *directly
and immediately give someone deployment access to the tool.*
Effectively, this policy forces me to move any tool repositories off Gerrit
and onto GitHub: time and effort better spent otherwise.
The reason we wanted to make this change is because we didn't want to
repeat GitHub's mistakes. This case of a malware being added to an NPM
package used by many people was fresh in our minds:
https://github.com/dominictarr/event-stream/issues/115
The original maintainer had stopped caring about this package some
time before the incident. He gave contributor access to the first
person who asked, without any sort of check. Even after the malware
was discovered, the original maintainer was dismissive, leaving it for
others to clean up.
We've had an incident on Gerrit of a known malicious user, a Wikipedia
vandal, submitting code with a security vulnerability, using a
previously unknown pseudonym. We don't really want such a person to be
summarily given +2 access to a repository.
I don't think it's a huge inconvenience to list your proposed
contributors on a Phabricator ticket and then to wait a week.
-- Tim Starling