I know we talked about maybe someday doing this, as it would solve a lot of issues. Is this something we should wait on? It would definitely help with the tarball process too, and as I was thinking about it, it seems like this is something a few of us could do pretty quickly. I don't actually know Gerrit or Jenkins, but it seems like these would all be things someone in our team has done before, so it's should just be banging it out instead of trying to do something new.

Assuming ops was able to get the hardware, all we need to do is:

* We setup a machine (well 2, and mirror them somehow for redundancy..) on an isolated network inside the cluster

* It runs gerrit and jenkins

* We merge in new patches from the current git repo automatically

** If there's a conflict with a security patch, alert/page/etc (<- this is the major downside I see, if someone is trying to merge an emergency patch to deploy, but it conflicts with an existing security patch, and it's midnight in SFO, we will have problems..)

* Security patches are submitted and +2'ed in the gerrit instance

* Jenkins cuts the weekly (or daily) branches on some schedule and tarballs when new tags are pushed

* Tin points to the private repo to get its code, and a cron job creates the new directory structure when new wmf branches are available.

Am I way off thinking this isn't actually that difficult? Maybe something we could schedule for q2?