I think what you're asking for already exists? We have groups for ShoutWiki, BlueSpice, and Brickipedia, which are set as owners of extensions that those groups maintain. When someone new joins the group, an admin just needs to add them to that one group and they have +2 across all of their relevant extensions.
Topic on User talk:Tim Starling (WMF)/Gerrit group membership policy changes
It's definitely good if the list can be non-empty to start with. ShoutWiki and BlueSpice definitely fit into the model I'm imagining, in that there is a company and the group members appear to be employees. For Brickimedia it is a bit more murky, it seems to be the ShoutWiki staff plus some volunteers. I guess the Brickimedia group would be administered by ShoutWiki? The question is whether allied organisations should be allowed to appoint non-employees to the Gerrit groups they manage, without going through the normal process.
I definitely think that "allied organisations should be allowed to appoint non-employees to the Gerrit groups they manage". That's what managing the group means, right?
The question is whether they can also appoint people to be added to the wikimedia-and-all-extensions group. I think that should be the case for organizations who's hiring process and internal review/oversight WMF has sufficient trust in. WMDE is the prime example, BlueSpice/HalloWelt is probably also a good candidate. Don't know about the rest.
This raises the question - how does an org gain (and lose) this "trusted" status? What shall be the process for this?
I'll second this point. The proposed changes state both "Add the LDAP wmde group to the Gerrit mediawiki group, so that WMDE staff members will have full rights on mediawiki/* projects after on-boarding." and "Access requests to the mediawiki group require special consideration."
I don't have any reason to think we can't trust WMDE in this, but we should consider the actual criteria for when a non-WMF group is trusted enough to appoint mediawiki mergers without that extra consideration to be prepared for the next group that might want that trust.
When discussing this during the TechCom meeting, we found that we should not use "included groups" to automatically make members of the wmde group members of the mediawiki group, for one reason: if we did that, it would become impossible to revoke or deny mediawiki rights from a wmde staff member. And while WMDE staff in general is presumably trusted, there have been cases in the past were individual WMDE staff have been denied +2 access to mediawiki.
So instead, membership to the mediawiki group should be granted to WMDE hires upon request per default, without a lengthy review process, with the WMF reserving the right to revoke that membership.
The organisations would be listed in the policy. So modification would be done in the same as any revision to the policy. I believe we are leaning towards CTO approval for this.