On 17/3/19 12:48 am, Merlijn van Deen (valhallasw) wrote:
On Sat, 16 Mar 2019 at 03:01, Tim Starling tstarling@wikimedia.org wrote:
No, managing +2 permissions is not up to the maintainer of the tool, that's the whole point of the change.
I feel that this policy, although well-meaning, and a step forwards for MediaWiki and other WMF-production software, is unreasonably being applied as a 'one-size-fits-all' solution to situations where it doesn't make sense.
Two examples where the policy does not fit the Toolforge situation:
- According to the policy, self-+2'ing is grounds for revocation of Gerrit
privileges. For a Toolforge tool, self +2-ing is common and expected: the repository is hosted on Gerrit to allow for CI and to make contributions from others easier, not necessarily for the code review features.
Merging your own code without review is grounds for revocation, with several exceptions. One of the exceptions is for code that's not deployed to the Wikimedia cluster. A toolforge tool would fall under that exception.
In general, if self-merging is normal policy in some repository, we are not trying to change that here. The +2 policy section is mostly copied from the previous policy and is meant to be descriptive of the current situation.
- Giving someone +2 access to a repository now needs to pass through an
extended process with checks and balances. At the same time, I can *directly and immediately give someone deployment access to the tool.*
Effectively, this policy forces me to move any tool repositories off Gerrit and onto GitHub: time and effort better spent otherwise.
The reason we wanted to make this change is because we didn't want to repeat GitHub's mistakes. This case of a malware being added to an NPM package used by many people was fresh in our minds:
https://github.com/dominictarr/event-stream/issues/115
The original maintainer had stopped caring about this package some time before the incident. He gave contributor access to the first person who asked, without any sort of check. Even after the malware was discovered, the original maintainer was dismissive, leaving it for others to clean up.
We've had an incident on Gerrit of a known malicious user, a Wikipedia vandal, submitting code with a security vulnerability, using a previously unknown pseudonym. We don't really want such a person to be summarily given +2 access to a repository.
I don't think it's a huge inconvenience to list your proposed contributors on a Phabricator ticket and then to wait a week.
-- Tim Starling