Talk:Gerrit/Privilege policy

I would suggest to consistently use term "code deploy deployed to Wikimedia cluster" or similar. On hand this removes the ambiguity between developed/maintained vs. deployed by WMF and on the other the ambiguity what is included: production cluster, beta cluster, other labs projects, chapter wikis hosted elsewhere.... Nikerabbit (talk) 15:19, 19 December 2018 (UTC)Reply

Three things, which are tangential to the actual point of this proposal, so feel free to ignore:

• When picking up (stale) patches from others, I often seek at least +1 from someone else for my additional changes before I self-merge. Assuming this is acceptable, maybe it can be documented under self-review.
• It would be kind for code bases with clear maintainers to give the maintainers a chance for review. I have seen patches created and merged by non-maintainers while maintainers were asleep. Sometimes these do have issues that could have been resolved before merging if the maintainers had the possibility to give a look at them. Can we encourage this in the policy?
• A non-criticizing observation: due to these rules, I often ask others to create patches I could do quickly myself, because getting someone to review my patch would take even longer than having the other person figure out how to create the patch, and I sometimes basically tell how it needs to be written, which is actually a self-review if one thinks about it very strictly. Nikerabbit (talk) 15:31, 19 December 2018 (UTC)Reply

I said something about the first point, and I also renamed the section and changed some language to make it clear that the problem is merging changes that have not been reviewed by someone else, not "self-review", whatever that is. You might naively think that self-review means reading your own code before you upload it to Gerrit, which seems OK to me. Tim Starling (talk) 06:04, 22 January 2019 (UTC)Reply

I've also encountered all three of these situations, particularly the first and third. Along these lines, I'm reminded of a few more edge cases:

• The "virtual +2": If I'd be willing to merge the patch from another +2er as-is, but I also want to leave a suggestion for minor improvement, I'll leave the comment and tell the author to feel free to self-merge the patch if they don't want to make further changes, instead of having to wait for me to come back to do it.
• Transient Jenkins errors: I've sometimes self-merged a patch when a previous non-self +2 failed to merge because of some transient Jenkins error, for example when npm occasionally fails to download its packages.
  • I know I've been tempted to do the same if Jenkins failed only because of a conflict in the RELEASE-NOTES file, but I don't recall whether I've ever actually done it. I have sometimes +2ed after doing the needed manual rebase of someone else's patch for RELEASE-NOTES or blatantly obvious documentation typos. Anomie (talk) 18:27, 19 December 2018 (UTC)Reply

I've hopefully covered this now. Rebasing RELEASE-NOTES could count as a trivial change not needing review. Tim Starling (talk) 06:05, 22 January 2019 (UTC)Reply

• puppet and mediawiki-config are mentioned under the heading "Deployment branches", is that a mistake? I imagine for deployment branches (and more generally backports) we'd want to say that self-merging is fine because these patches already passed code review elsewhere.
• I think self-merge after a virtual +2 or real +2 and simple rebase / CI failure is normal and does not contradict the policy as currently phrased (note it talks about self-review, not self-merge).
• To generalize Nikerabbit's last point, what's the difference between someone with +2 self-merging a patch that has been +1-ed by someone without +2, and someone with +2 merging a patch from written by someone without +2? In both cases the code is reviewed by exactly one person who is trusted with and responsible for enforcing conventions etc.etc. and another person who is less trusted. So the arguments given in the self-review section don't fully make sense to me.
  • And then sometimes that leads to merging code written by a less experienced developer that's OK but not great, because directing them through all the necessary changes would take forever and would not be a great experience for either of us, and changing the patch would mean I'd have to find another person with +2.
• "Inline comments can be used to indicate issues with the code that should be addressed before it is merged. Exercising -1 or -2 is just as important as +2." - this should probably be in the previous section, not self-review? Tgr (WMF) (talk) 22:03, 20 December 2018 (UTC)Reply

I removed the bit about -1 being as important as +2, because it seems a bit glib and confusing. Hopefully my change to the language to emphasize code review over merging covers this anyway. That change also hopefully answers your first point. Tim Starling (talk) 06:10, 22 January 2019 (UTC)Reply

puppet and mediawiki-config are mentioned under the heading "Deployment branches", is that a mistake? I imagine for deployment branches (and more generally backports) we'd want to say that self-merging is fine because these patches already passed code review elsewhere.

I was given pause in reading the same bulletpoint. I made a note to myself that perhaps the wording, "In deployment branches and the Puppet repository, changes are merged by the person doing the deployment" could be modified to indicate that self-+2 is common in any repository (or branch within a repository) where +2 indicates deployment rather than review; e.g., Deployment branches, integration changes, puppet repositories.

I don't know how to improve that wording, or whether the wording necessarily needs changes. I will say I did not understand the current wording quickly. TCipriani (WMF) (talk) 20:38, 24 January 2019 (UTC)Reply

> In both cases the code is reviewed by exactly one person who is trusted with and responsible for enforcing conventions etc.etc. and another person who is less trusted

Not really - in both cases the code has been viewed by one who is trusted with and responsible for conventions. But spotting one's own mistakes is a lot harder than spotting other people's mistakes. So I do think it makes sense to require review by another person with +2 rights who is not the author. DKinzler (WMF) (talk) 09:44, 3 January 2019 (UTC)Reply

For some smaller projects, we can be in a situation where only one person has enough knowledge on the project to sensibly do +2, or, even more frequently, only one such person is available (e.g. there may be two but one is on a month-long leave, or buried under urgent workloads, otherwise inaccessible). In this case, if the person who has +2 authors a change, there would be no way to merge it without self-merging. Smalyshev (WMF) (talk) 01:45, 19 January 2019 (UTC)Reply

@Smalyshev, I think that's covered by "For extensions (and other projects) not deployed to the Wikimedia cluster, the code review policy is up to the maintainer or author of the extension". DKinzler (WMF) (talk) 11:05, 2 April 2019 (UTC)Reply

The policy currently refers to "Gerrit Administrators" as being responsible or empowered to perform certain actions by this policy. It would however be more useful to associate these powers and responsibilities with gerrit permissions rather than a specific group, allowing the granularity of groups and permissions on gerrit to be improved as discussed on phab:T219012#5057232.

I propose to replace all references to "Gerrit Administrators" with "people with the necessary permissions on gerrit", (or an equivalent but less clunky phrase). DKinzler (WMF) (talk) 10:36, 2 April 2019 (UTC)Reply

On one side there is the administration of the Gerrit software itself. That is the Administrators built-in group in Gerrit which is https://gerrit.wikimedia.org/r/#/admin/groups/1,members This is the equivalent of having read/write access everywhere (disk or database).

On the other hand, the Gerrit Managers group https://gerrit.wikimedia.org/r/#/admin/groups/119,members is for administration of policy / access lists / repositories etc. It is less privileged than the administrators of the software itself, but is still a very large set of permissions. The group was originally named Project and Group Managers but got renamed to Gerrit Managers in Feb 2018 by https://gerrit.wikimedia.org/r/plugins/gitiles/All-Projects/+/10107cf5056eb6ef3903f49d59cd27387831c5b5%5E%21/#F0 It is semantically broader and might be confusing :D Antoine "hashar" Musso (talk) 11:26, 2 April 2019 (UTC)Reply

I think changing it to "Gerrit Managers" would be the most reasonable change. Jdforrester (WMF) (talk) 15:38, 2 April 2019 (UTC)Reply

> I think changing it to "Gerrit Managers" would be the most reasonable change.

It sounds reasonable, but in T219012 there is talk of creating a mediawiki-administrators. And further groups may be created in the future, for other repos, or with different rights.

This is why I want to avoid any group names in the policy. The policy should apply to whoever has the respective rights.

DKinzler (WMF) (talk) 17:12, 2 April 2019 (UTC)Reply

Then call it "the 'Gerrit Managers' group of individuals, or whatever it's called this week". Let them bike-shed in peace. Jdforrester (WMF) (talk) 17:36, 2 April 2019 (UTC)Reply

The link that is currently on the page links to https://gerrit.wikimedia.org/r/#/admin/groups/1,members which is not very helpful. Should it be removed or changed to something else? Nikerabbit (talk) 17:43, 13 May 2019 (UTC)Reply

I believe the current group is https://gerrit.wikimedia.org/r/admin/groups/119,members. Jdforrester (WMF) (talk) 17:48, 13 May 2019 (UTC)Reply

Gerrit Managers can change group membership only for groups they own, which is only 201 groups out of 1630. I volunteered to update the policy to say that Gerrit Managers can change groups, but I'm not going to do that when it's not true. 201 is suspiciously close to a round number, is it possible that someone tried to edit all the groups to be owned by Gerrit Managers but it failed due to a batch size limit? If I do the following query on the Gerrit database:

select group_id,name,owner_group_uuid='93b1e277b72d0e0a883afbc0a87948dd6dd0d7b7' as managed from account_groups where name like 'extension-%';

I get 1022 such extension-specific groups, of which 118 are owned by Gerrit Manager. The groups owned by Gerrit Manager are not contiguous when sorted by ID, UUID or name. Tim Starling (talk) 21:21, 18 September 2019 (UTC)Reply

Uh, that does sound odd...

I think the policy should just say "whoever has the permission to do it". DKinzler (WMF) (talk) 23:32, 18 September 2019 (UTC)Reply

How about we make all groups be owned by Gerrit Manager? Then we will actually be able to explain who has the ability to do this. Tim Starling (talk) 01:36, 19 September 2019 (UTC)Reply

I thought the idea was that no single group should have all the power, for security reasons. Wasn't that why the Administrators group was changed, after we had vandalism on Gerrit? DKinzler (WMF) (talk) 09:28, 19 September 2019 (UTC)Reply

No. The built-in Administrators group has powers that shouldn't generally be wielded, and which we can't remove or restrict (but would almost never need to use). The idea was to reduce the number of accounts with world-ending powers; it wasn't related to the kinds of actions this policy covers. Jdforrester (WMF) (talk) 15:44, 19 September 2019 (UTC)Reply

So Gerrit Manager should indeed own all groups? DKinzler (WMF) (talk) 16:55, 19 September 2019 (UTC)Reply

However Gerrit Managers don't have the ability to add people to the MediaWiki group. If you go with Gerrit Managers, we should also empower them to add/remove people from there or leave things as they are and let the LDAP group gerritadmin people to add people to the mediawiki group as it happens now AIUI. —MarcoAurelio (talk) 09:53, 22 September 2019 (UTC)Reply

On phab:T218135, Leszek raised the question of trusted orgs requesting access for people who had requested but had been denied merge rights in the past, as well as people who have held but lost merge rights in the past.

I propose to amend the policy to state that gerrit admins(*) should be advised to not use the "abridged" process without community discussion for people who have been denied before or lost privileges. Trusted orgs should, to the best of their knowledge, inform gerrit admins about such cases.

There is one case for which this would be annoying, though: people who lost their privileges per default, due to their contract or employment ending. It would be nice if they could be exempt from this rule, but that problematic as well: The policy requires privileges to be revoked per default so no information is exposed about whether the revocation happened due to any fault. So there might indeed have been an issue, we can't know.

I cite myself as an example: had this policy been in place when I left WMDE and joined WMF in October, I would have lost all privileges per default, and, with this amendment, would have to go through a community discussion before re-gaining them. Perhaps that could have been avoided if the gerrit admin in question had checked back with WMDE to ensure that there were no trust issues with me re-gaining the privileges. That however raises the question whether it would be legal for WMDE to share information about any issues I might have had working there, or the reasons for leaving.

(*) "admins" being gerrit users who have the necessary permissions to grant or revoke privileges. DKinzler (WMF) (talk) 10:51, 2 April 2019 (UTC)Reply

Hello,

I have since retired from development so this does not affect me much, if any, nowadays. But in the past, each time I was in need to request something to the gerrit administrators (mostly settings, or when clerking on MediaWiki +2 granting/removal Tasks) there was no easy way to reach the Gerrit administrators as a group; so I had to send some emails here and there until someone replied; which made me feel rather bad as I felt I was always putting the burden on the same couple of people that were responsive.

Given that now -and since some time- Gerrit adminship is managed through an LDAP group, I was wondering if we could create an email alias (EXIM? Wikimedia Google group?) such as "gerritadmin[at]wikimedia[dot]org" and subscribe all Gerrit Administrators there (except the bot I guess) so in case anyone needs an admin there's an easy way to reach 'em all through a single email to a single place.

I think that a gerritadmin[at]wikimedia[dot]org address exist or existed per phab:T54150 and got deleted per phab:T220843. If I remember rightly, I discussed the idea briefly with Hashar or Tyler a while ago in the RelEng channel. I can't remember. The later task also mentions a gerrit-admin[at]... address too.

Thanks. —MarcoAurelio (talk) 19:55, 2 December 2020 (UTC)Reply

It seems common sense that the section would only apply to code in Wikimedia production, just like the +2 policy, but the text doesn't actually say so. Could that be clarified? We don't want to force people to go through Phabricator privilege requests for repos under labs/tools (Toolforge), for example. Tgr (WMF) (talk) 04:33, 16 December 2020 (UTC)Reply

On Gerrit/Privilege_policy#Requesting_Gerrit_privileges it says that "To request membership in another group, create a new task under the Gerrit-Privilege-Requests project in Phabricator", "If there is a consensus of trusted developers on the Phabricator task, any of the Gerrit administrators can resolve the request" and "Gerrit administrators should not grant repository ownership to ordinary developers". Labs/Cloud is not part of Gerrit/Privilege_policy#Expedited_process_for_trusted_organisations and in light of Talk:Gerrit/Privilege policy#h-Allow_trusted_users_to_be_owners_of_repos-2019-01-24T19:38:00.000Z as well, it looks to me that (common sense or lack thereof) all access requests shall go through a Phab task. —MarcoAurelio (talk) 12:28, 16 December 2020 (UTC)Reply

Should this be changed to the new body? wargo (talk) 21:46, 15 April 2024 (UTC)Reply

If we had a new technical standards setting/reviewing body to change it to that would be excellent. BDavis (WMF) (talk) 22:01, 15 April 2024 (UTC)Reply

Technical decision making/Forum? wargo (talk) 22:11, 15 April 2024 (UTC)Reply

That group has no met for about a year now... Technical decision making/Technical Decision-Making Process Retrospective and Consultation plan BDavis (WMF) (talk) 22:14, 15 April 2024 (UTC)Reply

As Bryan Davis said, the committee has been disbanded a few years ago without a replacement body and the forum is not quite the same. Last July 2023 a group was formed to analysis the forum and they have published their report yesterday:

• announcement: https://lists.wikimedia.org/hyperkitty/list/wikitech-l@lists.wikimedia.org/message/VF47G6YTYRDUQTNTGOY4YPZDV7PUB5TH/
• report: Technical_decision_making/Technical_Decision-Making_Process_Retrospective_and_Consultation_plan/Retrospective_and_Consultation:_Results_and_Analysis Antoine "hashar" Musso (talk) 06:21, 24 April 2024 (UTC)Reply

Right now the policy only requires a wikitech-l email for requests for mediawiki/* +2 rights. I think we should expand that requirement to all Wikimedia-deployed MediaWiki code, as that access is sensitive enough so that requests should be seen by the wider developer community and not just the people who happen to follow the Gerrit privilege request tag. An email to wikitech-l has been sent for the past couple of such requests and I think it's worked fine. Taavi (talk!) 11:00, 20 April 2024 (UTC)Reply

This seems pretty reasonable. In the case of Wikimedia-deployed extensions that have no real stewards, I'd imagine a similar level of engagement as we get on the tasks (little to none), but there's a better chance of running into the request via email vs the privilege request board. Opening that to broader discussion/same vetting period seems like a good way to approach this. +1 from me. TCipriani (WMF) (talk) 18:41, 23 April 2024 (UTC)Reply

There is a problem when no consensus is reached for a request. The policy states that the next step is to refer the matter to TechCom. As noted elsewhere on the talk page, there is no current TechCom equivalent.

This is rarely a problem for privilege requests to mediawiki since the email to wikitech-l is usually sufficient to spur discussion on a task that is unambiguous in its recommendation.

This is a problem for requests to other groups because there may be no discussion whatsoever on the phabricator task.

It could be argued that this is a negative endorsement; however, for abandoned extensions, it may be that few are paying attention.

I'd like to amend the policy to direct people to email wikitech-l in the case that there is no feedback on a task requesting privileges in a non-mediawiki group within the two week period tasks must remain open. And in the case that no objections are raised, to grant the privilege (fail to open). TCipriani (WMF) (talk) 15:35, 24 September 2024 (UTC)Reply

I'd like to amend the policy to direct people to email wikitech-l in the case that there is no feedback on a task requesting privileges in a non-mediawiki group within the two week period tasks must remain open. And in the case that no objections are raised, to grant the privilege (fail to open).

Should this still be restricted in some way to "known contributors" with some history of activity on the projects, or at least some clear history of participation in the broader FOSS community? BBearnes (WMF) (talk) 18:16, 24 September 2024 (UTC)Reply

> Should this still be restricted in some way to "known contributors"

@BBearnes (WMF) are you thinking about this as a way to slow down things like the XZ Utils supply chain attack or do you see other justifications for limiting who an abandoned project is passed on to?

I feel personally pretty torn between wanting to help anyone who is motivated to support an otherwise unsupported extension/skin/library/tool and wanting the downstream folks who use that software product to be able to trust that the software will not become malicious. Hopefully it it obvious that in an ideal world we would get both outcomes from every decision. When we are talking about attempts to adopt code where nobody has been able to make contact with the original authors I think that in the abstract I would support any maintainer over no maintainer, but I'm not sure how to condense that feeling into a scoring rubric of some sort for evaluating requests. BDavis (WMF) (talk) 20:09, 25 September 2024 (UTC)Reply

Yeah, that was pretty much my thinking. I guess I feel like "any maintainer who's not gonna (for example) backdoor unsuspecting users", but I too am unsure how to most usefully set up rules that best help ensure that. BBearnes (WMF) (talk) 20:54, 25 September 2024 (UTC)Reply

If a repo is truly abandoned enough for nobody to care then it probably doesn't have any users checking the repo specifically (as opposed to checking the MediaWiki.org page which could be edited by anyone to point to a backdoored repo). * Pppery * _{it has begun} 21:16, 25 September 2024 (UTC)Reply