Last modified: 2012-03-26 12:41:39 UTC

Wikimedia Bugzilla is closed!

Wikimedia has migrated from Bugzilla to Phabricator. Bug reports should be created and updated in Wikimedia Phabricator instead. Please create an account in Phabricator and add your Bugzilla email address to it.
Wikimedia Bugzilla is read-only. If you try to edit or create any bug report in Bugzilla you will be shown an intentional error message.
In order to access the Phabricator task corresponding to a Bugzilla report, just remove "static-" from its URL.
You could still run searches in Bugzilla or access your list of votes but bug reports will obviously not be up-to-date in Bugzilla.
Bug 35148 - Set up Gerrit project owner group for MediaWiki core + WMF-deployed extensions
Set up Gerrit project owner group for MediaWiki core + WMF-deployed extensions
Product: Wikimedia
Classification: Unclassified
Git/Gerrit (Other open bugs)
All All
: High normal (vote)
: ---
Assigned To: Nobody - You can work on this!
: platformeng
Depends on:
Blocks: 22596
  Show dependency treegraph
Reported: 2012-03-11 08:41 UTC by Sumana Harihareswara
Modified: 2012-03-26 12:41 UTC (History)
4 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---


Description Sumana Harihareswara 2012-03-11 08:41:12 UTC,group,11 should contain all the people who will have the power to merge commits into the master branch of MediaWiki core, and into the master branch for each of our ~100 WMF-deployed MediaWiki extensions.

Right now we shall limit this to people who can deploy.  The list is at;a=blob;f=manifests/admins.pp;h=2080ad4588963dc512543978936ac5367c8d1efd;hb=HEAD -- do a manual (Control-F) search for the lists under "admins::mortals" + "admins::roots".

Possible people to add include: Timo, Trevor Parscal.

The reason for gating this (right now) to those who have cluster access: these will be the people who fix it when something is screwed up.

Inactivity is a reasonable reason for removing people from this list, so if someone hasn't contributed in the last two months, feel free to remove them from this Gerrit project owner group as well.

I'll soon be publishing the decision procedure for removing people from this list and adding people to it, but for now this is our starter group.
Comment 1 Sumana Harihareswara 2012-03-11 08:42:34 UTC
Assigning to Ryan Lane, to please take care of before March 21st.
Comment 2 Ryan Lane 2012-03-11 10:39:43 UTC
I don't think this needs to be assigned to me, does it?
Comment 3 Antoine "hashar" Musso (WMF) 2012-03-13 09:31:49 UTC
The mediawiki gerrit project contains mediawiki/core and all mediawiki extension repository.

A group named mediawiki is allowed to do anything including:
-  push : pushing a commit straight to the repository, bypassing code review entirely
- pushing merge commit : send a branch merge, bypassing code review entirely
- push annotated tag : mark a commit, for example for release purposes

That groups currently include the member of LDAP groups 'ops' and 'wmf'. In addition, we have added volunteer Platonides who is one of the core mediawiki hacker.

We probably want to refine the matrix rights. Bypassing code-review (push & 'pushing merge commit' rights) should be privileges to only a very restricted group of people (ops  / platform engineering).

We need a LDAP group to hold volunteers with MediaWiki review rights.
Comment 4 Antoine "hashar" Musso (WMF) 2012-03-13 22:29:35 UTC
Following a discussion with Ryan, there is no point in adding volunteers or specific people in a new LDAP group. Since that group will only be used in Gerrit, we can just add them as exception in Gerrit interface.

Removing Ryan from assignment.

We need to work on the access rights next week.
Comment 5 Sumana Harihareswara 2012-03-13 22:38:44 UTC
We need to do this access rights work this week, so we have time to test
* us adding people to this Gerrit project owner group, and verifying with three or four guinea pigs that they can merge code into the branch
* us changing people's permissions
* us removing people from groups and ensuring they can no longer merge code in

by Tuesday the 20th, so we can pull the switch on the 21st.
Comment 6 Sumana Harihareswara 2012-03-15 01:01:19 UTC
Populating the groups:

The "mediawiki" Gerrit project owner group includes individuals as well as the LDAP-driven groups "wmf",group,6 and "ops",group,7 .  I can add volunteers to the "mediawiki" Gerrit project owners list ("group") via the Gerrit user interface (click on "admin", click on "groups", and click on "mediawiki" and scroll down).  I can add WMF developers ("wmf") via shell access on formey, by adding individuals to the wmf LDAP group.  I cannot add individuals to the WMF operations ("ops") LDAP group; what is the procedure for ops people to get added to and removed from that LDAP group?
Comment 7 Sumana Harihareswara 2012-03-15 01:35:31 UTC
People get added to the ops group by the Wikimedia Foundation operations team, and sometimes they are removed for inactivity or because they do not need it anymore.  The list of "ops" LDAP group members will continue to live in "admins::roots" at;a=blob;f=manifests/admins.pp;h=2080ad4588963dc512543978936ac5367c8d1efd;hb=HEAD .

Not all Wikimedia Foundation software engineers will have merge powers for MediaWiki core, so instead of reusing the "wmf" LDAP group, we will use a new Gerrit group to contain WMFers who should have merge powers, or simply add them directly to the "mediawiki" Gerrit project owner group.
Comment 8 Sumana Harihareswara 2012-03-16 23:19:48 UTC
I've now added nearly all the people who have cluster access to the relevant Gerrit project group.  Just a few remain, mostly because they don't have Gerrit accounts yet.
Comment 9 Antoine "hashar" Musso (WMF) 2012-03-17 09:29:47 UTC
Removing 'wmf' from the 'mediawiki' group probably makes it clearer as to who is allowed to merge.

I guess we can close this bug now :-)
Comment 10 Chad H. 2012-03-26 12:41:39 UTC
This seems fixed. Permissions have been sorted (specifically, the harmful Push was removed), and all permissions are correct on mediawiki/* (assigned to 'mediawiki' and 'Project Owners').

This inherits to all extensions. We can add extra reviewer+merger folks on an extension-by-extension basis as needed (just add them to "Owner" on a given extension's refs/*)

Note You need to log in before you can comment on or make changes to this bug.