https://gerrit.wikimedia.org/r/#/admin/groups/1505,info was originally created with the sole purpose of letting users to merge their own gerrit avatars. As of today via https://gerrit.wikimedia.org/r/#/admin/projects/All-Projects,access they have been granted some sensitive permissions which have been abused in the past, such as Add Patch Set.
Group description reads: "Group that will be allowed to do additional things like merging their own avatar changes etc. Members of this group can add other users they think are trustworthy."
First part is not quite exact as of today given that Trusted-Contributors are able to do more than just that. The second part seems to be against the philosophy of the current Gerrit Privilege Policy, which states that "To request membership in another group, create a new task under the Gerrit-Privilege-Requests project in Phabricator."
This makes me wonder the following:
- can the Trusted-Contributors project in Gerrit continue to be self-managed by members of said project as it happens now? (it looks self-owned groups are not allowed now?)
- if the above is no, shall we make the group to be owned by Gerrit Managers instead, and direct users to request access via a Phabricator task?
- shall we audit the list of members and perform any removal if the group is now meant to be restricted?