Last modified: 2014-02-04 00:08:26 UTC
As I understand it, any Wikimedia Foundation employee can +2 code in Gerrit. This is a flawed design and should be corrected.
Gerrit is a flawed design.
(In reply to comment #0) > As I understand it, any Wikimedia Foundation employee can +2 code in Gerrit. > This is a flawed design and should be corrected. Not automatically. I can't +2 code. Not that I actually want the ability to be able to, though.
(In reply to comment #1) > Gerrit is a flawed design. Perhaps, but it's the current code review tool. :-) Further information about the technical details behind the current implementation would be really helpful here. It has something to do with LDAP and user groups or something, I think, maybe.
(In reply to comment #0) > As I understand it, any Wikimedia Foundation employee can +2 code in Gerrit. > This is a flawed design and should be corrected. Rephrase this: any full time WMF engineer is entitled to access to the ldap/wmf group (ops has +2 on all repos). Like Dan says: non engineers don't usually get this (and actually this is a nice reminder--I need to remove some former staffers and hadn't gotten around to it) ldap/wmf is given review permissions over most non-operations stuff. Specifically wikimedia/* mediawiki/* and analytics/*. This is mostly done out of convenience as there's lots of deployed things that an engineer could need access to. If a given repo has a desire to deny default group permissions from inheriting, they can in their ACL(s).
(In reply to comment #4) > (In reply to comment #0) > > As I understand it, any Wikimedia Foundation employee can +2 code in Gerrit. > > This is a flawed design and should be corrected. > > Rephrase this: any full time WMF engineer is entitled to access to the > ldap/wmf > group (ops has +2 on all repos). > That should say "entitled... on request." It's not automatically granted, and it typically *doesn't* get granted until an engineer finds themselves needing it and ask :)
(In reply to comment #4) Thanks for the clarification! > Rephrase this: any full time WMF engineer is entitled to access to the > ldap/wmf group (ops has +2 on all repos). Is there a way to see the members of the ldap/wmf group? As I understand it, this ldap/wmf group includes more than just full-time Wikimedia Foundation engineers. There are contractors in this group. There are non-engineers in this group. Related: https://gerrit.wikimedia.org/r/#/admin/groups/11,members
(In reply to comment #6) > Is there a way to see the members of the ldap/wmf group? https://gerrit.wikimedia.org/wmf-20140124.txt
I tried to clarify the bug summary. Why are we relying on the ldap/wmf group? Can't we simply be explicit (i.e., <https://gerrit.wikimedia.org/r/#/admin/groups/11,members>)? This would be much more transparent.
(In reply to comment #8) > I tried to clarify the bug summary. > > Why are we relying on the ldap/wmf group? Can't we simply be explicit (i.e., > <https://gerrit.wikimedia.org/r/#/admin/groups/11,members>)? > Because as far as I know, it's also used for access to some other services too (I think the test logstash is an example, as it's still under development and contains private logs). It's modeled after the ldap/ops group, which has existed since labs launched. It's used in gerrit mostly out of convenience, but I could be convinced otherwise if we can't do this \/ > This would be much more transparent. I would love to make the ldap groups (and everything about ldap) much much more accessible on wikitech. There's not a whole lot of private data there.
(In reply to comment #8) > Can't we simply be explicit (i.e., > <https://gerrit.wikimedia.org/r/#/admin/groups/11,members>)? With or without the current [[+2]] approval process that currently entails? (Both cases would require process changes...) (In reply to comment #9) > Because as far as I know, it's also used for access to some other services > too > (I think the test logstash is an example, as it's still under development and > contains private logs). It's modeled after the ldap/ops group, which has > existed since labs launched. I don't think there's any need to rethink this LDAP group from scratch. I think most if not all the people in the group who ever used +2 also had such permission via other groups (particularly for "their" extensions). It would be nice to have 1) a list of group members who ever used +2, 2) a list for the subset of (1) which could perform said +2 thanks to wmf group only. From that we can understand how big a change this would be. We might discover we only need a handful tweaks to some more specific groups' membership.
