Page MenuHomePhabricator

+2 in mediawiki/* for WMDE engineers
Closed, ResolvedPublic

Description

https://lists.wikimedia.org/pipermail/wikitech-l/2019-March/091612.html has announced changes to Gerrit privilege policy being approved by WMF CTO and Technical Committee.

Based on the new text of the policy (https://www.mediawiki.org/wiki/Gerrit/Privilege_policy), I hereby request granting +2 rights on mediawiki/* Gerrit repositories to WMDE engineers who have not been granted these so far.

I am sure there are many ways to implement this on Gerrit side. As far as I know, so far WMDE staff members when given +2 rights were added to Gerrit group mediawiki: https://gerrit.wikimedia.org/r/admin/groups/11,members. In case this is helpful, I note that wmde LDAP group (https://tools.wmflabs.org/ldap/group/wmde) does include several users who are not engineers, and hence probably should not be given additional Gerrit rights.

For convenience, here is the list of Gerrit user names of WMDE engineers, and respective shell user names, excluding those who already were granted +2 rights:

  • Alaa Sarhan / alaasarhan
  • Andrew-WMDE / andrew-wmde
  • Awight / awight
  • Gabriel Birke / gbirke
  • Jkroll / jkroll
  • Matthias Geisler / bitpogo
  • Michael Große / migr
  • Monica Pinedo / darthmon
  • Noa wmde / noa
  • Pablo Grass (WMDE) / pgrass
  • Raz Shuty / raz-shuty
  • Tarrow / tarrow
  • Tobias Gritschacher / tgritschacher
  • Tim Eulitz / tieu
  • Tonina Zhelyazkova / tonina

List could be verified by comparing with wmde LDAP group listing (in order to be added to the group one needs to be approved by WMF manager and sign NDA with WMF). For additional verification WMDE staff page could also be of help: https://www.wikimedia.de/en/people/staff.

Should there be a need for additional information, I would happy to provide those in the ticket, or in other form if preferred.

Event Timeline

I'm not sure how to say this without coming off as a dick, so I'm just going to go ahead: Jeroen De Dauw already has 2 failed requests for +2 in mediawiki/core 1 2. Admittedly this was a long time ago, but the last time he did anything non-trivial in MW core was in 2013. I feel like this is sort of a backdoor around previous community consensus.

To clarify, per https://www.mediawiki.org/wiki/Gerrit/Privilege_policy#Expedited_process_for_trusted_organisations I'm supposed to add everyone into the mediawiki group? I think it would be easier if we created a wmde-mediawiki group that is part of the mediawiki group, mostly to keep the list separate for easier management. But it would be the same permissions granted. Would that be alright?

I'm not sure how to say this without coming off as a dick, so I'm just going to go ahead: Jeroen De Dauw already has 2 failed requests for +2 in mediawiki/core 1 2. Admittedly this was a long time ago, but the last time he did anything non-trivial in MW core was in 2013. I feel like this is sort of a backdoor around previous community consensus.

I'd like @tstarling and/or @daniel to comment on this. Given what Daniel wrote on-wiki (https://www.mediawiki.org/w/index.php?title=Topic:Uqnwtnsd6jiealzi&topic_showPostId=url27yh224eh72uq#flow-post-url27yh224eh72uq), I don't think Jeroen would get +2 permissions in mediawiki/ without a full discussion.

Jeroen De Dauw already has 2 failed requests for +2 in mediawiki/core 1 2. Admittedly this was a long time ago, but the last time he did anything non-trivial in MW core was in 2013. I feel like this is sort of a backdoor around previous community consensus.

@Bawolff decent point, thanks for bringing this up. Regarding this being a backdoor etc - It is only my words and I have nothing more to back up the claim WMDE is not intending here to go around past consensus etc, but I was not even aware of those previous requests. Those were actually even back in 2012, I am with WMDE since mid 2015 only. This ticket only comes as an intend to execute the new point in the policy, no more agenda here.

Being kind of side in the case, I would rather back off from interpreting the policy and let people in charge do it. It indeed seems a bit special case now. As @daniel said in the linked discussion, generally the new policy point relates to the situation of onboarding new WMDE hires, while now we obviously talk about the "existing" staff members.

To clarify, per https://www.mediawiki.org/wiki/Gerrit/Privilege_policy#Expedited_process_for_trusted_organisations I'm supposed to add everyone into the mediawiki group? I think it would be easier if we created a wmde-mediawiki group that is part of the mediawiki group, mostly to keep the list separate for easier management. But it would be the same permissions granted. Would that be alright?

I wouldn't consider myself a good person to answer those questions really, but what @Legoktm suggests above seems like a convenient way of managing permissions. As I tried to say in the task description, I believe the existing wmde LDAP group should be kept as it is, as it includes users that are not granted additional permissions.
WMDE management is going to follow the discussion on this side of the request too, and will adjust future requests (for onboarding new staff members for example) to whatever solution is decided on, for everyone's convenience.

Finally, thanks to @tstarling for publishing and announcing the new policy, I've adjusted links in the description to point to the official location of the policy.

To clarify: the intent of the new policy is to allow +2 access to be granted without community discussion or consensus building, upon request of trusted organizations. This does not imply a right or automatism for that request to be granted, +2 access can still be denied or revoked at the discretion of the groups/roles mentioned in the policy. This means that membership in a trusted org's own group must not auomatically imply membership in the mediawiki group.

Having a wmde-mediawiki group that implies mediawiki and wmde would be fine, though having implicit members in the mediawiki group may make things more confusing to manage. On the other hand, having a wmde group that implies the mediawiki group would not be ok.

Thanks @daniel. So I created a wmde-mediawiki group (https://gerrit.wikimedia.org/r/admin/groups/1597) with everyone listed except for Jeroen. But... due to recent permissions shuffles I can't actually grant the proper rights (T219086), so stay tuned...

Thanks @Legoktm for this. I've wanted to also add WMDE staff members who have been already grantend +2 right to the new group as well, to have everyone in one place. At this moment I don't have rights to add users to the group yet (which makes sense at this stage).

Users to added, on top of the ones from the list in the task description are (Gerrit/LDAP user names):

  • Addshore
  • Hoo man
  • Jakob
  • Ladsgroup
  • Lucas Werkmeister (WMDE)
  • Thiemo Kreuz (WMDE)
  • WMDE-Fisch
  • WMDE-leszek

While doing this, I've noticed I missed one WMDE engineer in the original list. Could you please also add user Andrew-WMDE (shell andrew-wmde) to wmde-mediawiki? Apologies for my failure (i am updating the task description as well)

Also, to have a clarity, I wanted to ask how to proceed with user Jeroen De Dauw. Whle @Legoktm did a right thing above, I need to ask who is going to decide on whether this user is permitted to be added to wmde-mediawiki group? Should the decision be negative, WMDE will stick to it, but we'd like to have a clear understanding what are the circumstances excluding this user from the group. As mentioned in the policy, WMDE will be able to add new users to the said group themselves, so we would like to apply clear criteria and processes, e.g. when there are new staff members joining.

Also, to have a clarity, I wanted to ask how to proceed with user Jeroen De Dauw. Whle @Legoktm did a right thing above, I need to ask who is going to decide on whether this user is permitted to be added to wmde-mediawiki group? Should the decision be negative, WMDE will stick to it, but we'd like to have a clear understanding what are the circumstances excluding this user from the group.

Jeroen had requested +2 rights in the past, and was denied that access, after a public discussion of his request, see https://www.mediawiki.org/wiki/Gerrit/Project_ownership/Archive#Jeroen_De_Dauw,_19_March_2012. That was just before he joined WMDE, IIRC. I later inquired at WMF about giving him +2 rights, and was told there were still reservations against doing so. But that was several years, so things may have changed.

There is no official process for this situation as far as I know. The policy states that gerrit admins may grant +2 rights without discussion upon request by a trusted org. It would be fair to warn said admins about the fact that the person in question had been denied or has lost access before. If they choose not to directly grant merge rights because of that, the "normal" process via a public request and discussion is always open, I suppose.

As mentioned in the policy, WMDE will be able to add new users to the said group themselves, so we would like to apply clear criteria and processes, e.g. when there are new staff members joining.

The policy does not say that WMDE will be able to add people to any group themselves. It says that WMDE staff members should be in the wmde group, which specifically does not imply the mediawiki group. Access to the mediawiki group may be granted to staff members of trusted organizations without discussion, but must still be requested. The wmde-mediawiki group represents the intersection of the mediawiki and wmde groups. Its existence should be considered an implementation detail.

Now, there is nothing that keeps you or any other WMDE employee from becoming a gerrit admin (or gerrit project admin, or whatever we'll call that role in the future). But formally, it would still be WMDE requesting access for staff members, and gerrit admins granting that access, based on their own rules and processes. How elevated privileges on gerrit are granted is currently unspecified. In the light of recent events, the current state of affairs is under scrutiny by the security team.

Also, to have a clarity, I wanted to ask how to proceed with user Jeroen De Dauw. Whle @Legoktm did a right thing above, I need to ask who is going to decide on whether this user is permitted to be added to wmde-mediawiki group?

I think he would need to go through the normal community discussion process. The trusted organization process is supposed to be an expedited alternative, but the standard process is always still available AIUI.

Also, to have a clarity, I wanted to ask how to proceed with user Jeroen De Dauw. Whle @Legoktm did a right thing above, I need to ask who is going to decide on whether this user is permitted to be added to wmde-mediawiki group? Should the decision be negative, WMDE will stick to it, but we'd like to have a clear understanding what are the circumstances excluding this user from the group.

Jeroen had requested +2 rights in the past, and was denied that access, after a public discussion of his request, see https://www.mediawiki.org/wiki/Gerrit/Project_ownership/Archive#Jeroen_De_Dauw,_19_March_2012. That was just before he joined WMDE, IIRC. I later inquired at WMF about giving him +2 rights, and was told there were still reservations against doing so. But that was several years, so things may have changed.

Yup, this past request has already been referred to above. I agree that for completeness this past request (or requests) should be listed here, and I appreciate that @Bawolff did it, as I personally hadn't known these. On the other note (my personal thought here), as far as I remember from reading this archive pages few weeks ago, not only requests were made and refused 7 years ago, but also the reason to deny the access named there was a lack of process of revoking +2 rights, which actually now exists, with the introduction of the new policy, as far as I understand it.

There is no official process for this situation as far as I know. The policy states that gerrit admins may grant +2 rights without discussion upon request by a trusted org. It would be fair to warn said admins about the fact that the person in question had been denied or has lost access before. If they choose not to directly grant merge rights because of that, the "normal" process via a public request and discussion is always open, I suppose.

Right, that's basically what I am trying to understand here. Could someone with the right authority (is it Tech Comm, or Gerrit Administrators, who to ping?) state here what is decision here?
If the authoritative body states that, for example, in the cases of past requests that have been denied, it is advised to always go with the "normal" discussion process, it is a useful information for WMDE, and I imagine for other Trusted Organisations as well.
If the governing body does not want to make the general rules like that (for which I personally could also see reasons), I would appreciate the decision with regards to the particular user in this request here.

Please don't get me wrong. I very much appreciate your comments @daniel and @Legoktm. I simply would like to go past "I think" and "I suppose" from individuals, and have some kind of decision here, from the ones who are actually expected to make such decisions :)

As mentioned in the policy, WMDE will be able to add new users to the said group themselves, so we would like to apply clear criteria and processes, e.g. when there are new staff members joining.

The policy does not say that WMDE will be able to add people to any group themselves. It says that WMDE staff members should be in the wmde group, which specifically does not imply the mediawiki group. Access to the mediawiki group may be granted to staff members of trusted organizations without discussion, but must still be requested. The wmde-mediawiki group represents the intersection of the mediawiki and wmde groups. Its existence should be considered an implementation detail.

Thanks for clarification. I kind of made some "thought shortcut", when thinking of the following sentence of the policy: "It also allows trusted organisations to grant access to volunteers who are well known and trusted by those organisations." . You're right this does not imply any particular solution in terms of who adds users to what group, sorry for going too far with suggesting particular solutions. Those are implementation details really, and WMDE is of course going to follow what makes sense the most from the Gerrit maintainers perspective.

Now, there is nothing that keeps you or any other WMDE employee from becoming a gerrit admin (or gerrit project admin, or whatever we'll call that role in the future). But formally, it would still be WMDE requesting access for staff members, and gerrit admins granting that access, based on their own rules and processes. How elevated privileges on gerrit are granted is currently unspecified. In the light of recent events, the current state of affairs is under scrutiny by the security team.

Valid point. We might be getting side tracked, which is my fault, so I stop with this particular implementation topic now.

@WMDE-leszek: I added a proposal to clarify the process on the talk page of the policy, see https://www.mediawiki.org/wiki/Topic:Ux3fj9wrnoqxmcwe

As long as this remains unclear in the policy, I can only refer you to the WMF CTO as the ultimate authority for these things. She sets the policy.

To clarify the role of TechCom: TechCom only advises and facilitates on the policy, since engineering processes are out of scope of the committee's charter. The policy however grants TechCom some authority on the question who should (and should not) have +2 rights, since that decision may depend on assessing the user's activity from an engineering point of view.

@Bawolff @daniel @Legoktm
If I managed to follow the discussion here correctly, this is currently stalled because of the unclarity how to deal with Jeroen DeDauw being part of this request. If that's correct, can we just take him out of the list, move on with the rest as we would normally do, and deal with Jeroen in a separate process? Assuming the rest of the list is ok of course, which IIRC is the case.

Given the fact the reduced list is fine policy-wise, the next step would be the actual technical implementation of this. @Legoktm 's suggestion of having a wmde-mediawiki group that is part of the mediawiki group sounds fine to me but this is up to the actual experts to decide. Who would we need to poke in order to get this moving?

Tobi_WMDE_SW added subscribers: Krinkle, greg.

@greg @Krinkle
I was told you were the ones that could help with the technical side of this request. Since I didn't manage to catch you at the hackathon and I'm now already on the way to the train station, I'm bothering/adding you here the unsocial way. Since TechCom/@daniel gave their ok on the updated list above, I get it that it's now an OPs task.

I'm actually not able to do this, as I am no longer a Gerrit admin.

I can see that the group wmde-mediawiki group has been created and contains some members. However, the audit log isn't accessible to me to see when or by whom this was done. See https://gerrit.wikimedia.org/r/#/admin/groups/1597,members

If that list is correct, then a Gerrit admin should add it as include at https://gerrit.wikimedia.org/r/#/admin/groups/11,members, and then after that probably remove any explicit WMDE user names from mediawiki that are redundant with the inclusion of wmde-mediawiki.

Legoktm claimed this task.

@Bawolff @daniel @Legoktm
If I managed to follow the discussion here correctly, this is currently stalled ...

Sorry, this was actually just stalled on me (or another Gerrit admin) implementing it...which I've done now. All the people listed in the task are now members of the wmde-mediawiki group, which is an included group of mediawiki.

I can see that the group wmde-mediawiki group has been created and contains some members. However, the audit log isn't accessible to me to see when or by whom this was done. See https://gerrit.wikimedia.org/r/#/admin/groups/1597,members

The group is public, and the audit log should be too...if you can't see that, can you file a bug in Gerrit about that?

If that list is correct, then a Gerrit admin should add it as include at https://gerrit.wikimedia.org/r/#/admin/groups/11,members, and then after that probably remove any explicit WMDE user names from mediawiki that are redundant with the inclusion of wmde-mediawiki.

The people currently in the mediawiki group went through the community approval process, and shouldn't be moved into the wmde-mediawiki group, which is part of the expedited trusted organization process.

Thank you @Krinkle for pointing out the right way forward and @Legoktm for finally finishing it!