Page MenuHomePhabricator

Discussion re. `Trusted-Contributors` Gerrit group
Open, Needs TriagePublic

Description

https://gerrit.wikimedia.org/r/#/admin/groups/1505,info was originally created with the sole purpose of letting users to merge their own gerrit avatars. As of today via https://gerrit.wikimedia.org/r/#/admin/projects/All-Projects,access they have been granted some sensitive permissions which have been abused in the past, such as Add Patch Set.

Group description reads: "Group that will be allowed to do additional things like merging their own avatar changes etc. Members of this group can add other users they think are trustworthy."

First part is not quite exact as of today given that Trusted-Contributors are able to do more than just that. The second part seems to be against the philosophy of the current Gerrit Privilege Policy, which states that "To request membership in another group, create a new task under the Gerrit-Privilege-Requests project in Phabricator."

This makes me wonder the following:

  • can the Trusted-Contributors project in Gerrit continue to be self-managed by members of said project as it happens now? (it looks self-owned groups are not allowed now?)
  • if the above is no, shall we make the group to be owned by Gerrit Managers instead, and direct users to request access via a Phabricator task?
  • shall we audit the list of members and perform any removal if the group is now meant to be restricted?

Thank you.

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 19 2019, 11:50 AM

I don't personally think we need to make any changes. The group can do what we used to allow to everyone, and at least I didn't see any problem with Trusted-Contributors here, which is fairily similar to the Gerrit thing.

For me the policy is not very clear, as it has not a definition of what is a privilege.

My understanding is that the new Gerrit Privilege Policy wants to ensure that everything that a ordinary Gerrit user cannot do (a privilege) must be proposed, discussed and approved first. This seems to be the intention by my reading of https://www.mediawiki.org/wiki/Gerrit/Privilege_policy#Requesting_Gerrit_privileges.

Add Patch Set was sadly removed from everyone because it was abused. Trusted-Contributors was not a group that originally had this ability. I think it makes little sense to create a group to limit who can modify other people's patches if anyone can be added later to said group without any or little control.

Moreover, the policy clearly discourages members of groups to add other members to it without a Task.

I am not for or against the current practice. Being honest, we have had no issues with how things have been working so far. But I'd love this to be clarified as I don't want issues in the future or being accused of breaching the policies and risk sanctions for doing so.

saper added a subscriber: saper.Nov 21 2019, 12:20 AM

Thanks for opening this task, this could use some clarity and alignment with the privilege policy.

There are several permissions that allow users to change other users patchsets in a way that could be viewed as disruptive:

  1. Edit Topic Name
  2. Edit Hashtags
  3. Add Patchset

These three privileges were at one time granted to the Registered Users group of which all users of Gerrit are a part. That is, anyone who signed into our Gerrit could fiddle with anyone else's patchset in a substantive way -- i.e., a person could upload a new version of your patch that is a complete rewrite of what you intended for a patchset.

There was an instance of abuse of these abilities that was disruptive. In late March these abilities were removed from Registered Users and granted only to Project Owners. It was noted in April on the Wikitech-l list that the change of Add Patchset to be only available to Project Owners was disruptive to a lot of folks' workflows. At the time @Bawolff suggested as a compromise that we grant this ability to Trusted Users. This, to me, seemed like a reasonable compromise as these "permissions" were previously granted to Registered Users this change locked down the ability to add a patchset to users who were "known" in some sense of that word: i.e., through a web of trust -- a self-owned group.

Subsequently, I granted the other permissions that were previously granted to Registered Users to Trusted users: Edit Hashtags and Edit Topic Name.

For me the policy is not very clear, as it has not a definition of what is a privilege.

My understanding is that the new Gerrit Privilege Policy wants to ensure that everything that a ordinary Gerrit user cannot do (a privilege) must be proposed, discussed and approved first. This seems to be the intention by my reading of https://www.mediawiki.org/wiki/Gerrit/Privilege_policy#Requesting_Gerrit_privileges.

That is an excellent point; however, at the time that privilege policy was written, the above 3 privileges were granted to all ordinary Gerrit users.

Add Patch Set was sadly removed from everyone because it was abused. Trusted-Contributors was not a group that originally had this ability. I think it makes little sense to create a group to limit who can modify other people's patches if anyone can be added later to said group without any or little control.

I believe the web-of-trust aspect of the Trusted-Contributors group does add some control to the process. Knowing that the group even exists, or having a need to use these missing "privileges" in the first place also acts as a (admittedly low) barrier to entry vs. advertising these privileges to folks who may not even know what they do and abuse them out of ignorance rather than malice.

Moreover, the policy clearly discourages members of groups to add other members to it without a Task.

+1 that seems the current case. Hopefully this discussion can rectify that.

I am not for or against the current practice. Being honest, we have had no issues with how things have been working so far. But I'd love this to be clarified as I don't want issues in the future or being accused of breaching the policies and risk sanctions for doing so.

+1

At the time i was kind of thinking of trusted contribs, as being kind of like autoconfirmed but for gerrit

daniel moved this task from Inbox to Watching on the TechCom board.Nov 27 2019, 9:14 PM

I'd like to find documentation how someone can add someone else to Trusted-Contributors in Gerrit. I could not find anything on https://www.mediawiki.org/wiki/Gerrit/Privilege_policy . I wasn't aware of this task and created https://www.mediawiki.org/w/index.php?title=Topic:Vmctpz0m7zzpcaqt as this was brought up in PS6 on https://gerrit.wikimedia.org/r/#/c/mediawiki/core/+/574865/ when a contributors tried to amend another contributor's patch.

...and once someone found out the hidden magic behind this, an update to https://www.mediawiki.org/w/index.php?title=Gerrit%2FTutorial&type=revision&diff=3860177&oldid=3849345 will be required.

Ok, so Timo told us the magic: it's viral, anyone in the group can add someone else to the group. Is Gerrit Tutorial still the right place to document this? I'm happy to do that if you see no problems with it.