Page MenuHomePhabricator

wikimedia/security gerrit requests
Open, NormalPublic

Description

Hello Release-Engineering-Team -

We'd like to start using wikimedia/security in a more organized way for various projects and tools that we (Security-Team) have been working on. We had a couple requests:

  1. Can we enable the wikimedia-security group to have repo creation rights under wikimedia/security? Basically so we can create wikimedia/security/foo when we need to and have those be stand-alone repos. I'm not sure where the current state of gerrit permissions and related processes stands, but this would be incredibly convenient for us.
  2. Can we update the wikimedia-security group to include @Dsharpe and @JFishback_WMF?
  3. If we can't do (1), can you let us know the best way to quickly get new repos moved/created under wikimedia/security?

Thanks.

Event Timeline

sbassett created this task.Tue, Nov 5, 7:31 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptTue, Nov 5, 7:31 PM
Paladox added a subscriber: Paladox.Tue, Nov 5, 7:35 PM

Hi,

  1. Is not possible, it's either you can create repos for all namespaces or you carn't :)
  1. Needs an admin.
  1. answered in 1 :)
Reedy added a comment.Tue, Nov 5, 8:14 PM

For number one, it's probably not unreasonable just to add them to Gerrit Managers

Aklapper moved this task from Bugs & stuff to Repo Admin on the Gerrit board.
thcipriani triaged this task as Normal priority.Thu, Nov 7, 3:09 PM

Can we update the wikimedia-security group to include @Dsharpe and @JFishback_WMF?

Done.

If we can't do (1), can you let us know the best way to quickly get new repos moved/created under wikimedia/security?

1 is unfortunately not possible.

As for adding wikimedia-security to Gerrit Managers -- I'm a bit wary as that comes with other permissions that you probably don't care to have and ownership over repos that you also probably don't care to have. Additionally, I don't want to forget that we added wikimedia-security at some point when the needs of the Gerrit Managers group diverges from the needs of wikimedia-security.

I can give wikimedia-security the Create Project permission if that's acceptable with the understanding that it's for use inside wikimedia/security if that's acceptable?

Can we update the wikimedia-security group to include @Dsharpe and @JFishback_WMF?

Done.

Thanks!

As for adding wikimedia-security to Gerrit Managers -- I'm a bit wary as that comes with other permissions that you probably don't care to have and ownership over repos that you also probably don't care to have. Additionally, I don't want to forget that we added wikimedia-security at some point when the needs of the Gerrit Managers group diverges from the needs of wikimedia-security.
I can give wikimedia-security the Create Project permission if that's acceptable with the understanding that it's for use inside wikimedia/security if that's acceptable?

If Create Project lets us easily create/manage repos within wikimedia/security, I think that's all we'd need for now. Or if we could add one other person on our team (besides @Reedy, Brian is more of a volunteer these days) in the Gerrit Managers group (maybe @chasemp?) that should work. Whatever's easiest and the best action from a security standpoint on your end.