project wide changes to maintainer ACLs

Brad Bishop bradleyb at fuzziesquirrel.com
Wed Nov 2 06:39:27 AEDT 2022 

On Tue, Nov 01, 2022 at 01:53:25PM -0500, Patrick Williams wrote:
>On Mon, Oct 31, 2022 at 07:05:52PM -0400, Brad Bishop wrote:
>> OpenBMC maintainers
>>
>> This coming Sunday, November 6th, absent any feedback here I am planning
>> on:
>>
>> 1 - Removing admin repository access by <xyz>-maintainers groups from
>> all projects on Github that use the OpenBMC Gerrit instance for peer
>> review (no change for projects that do not use the Gerrit instance like
>> the kernel, u-boot, or qemu).
>> 2 - Copying the submit prolog rules from the openbmc/openbmc Gerrit
>> project to the openbmc-all-repos Gerrit project.
>>
>> Impacts to maintainers are:
>>
>> 1 - Members of <xyz-maintainers> groups will no longer have any special
>> access to the GitHub repository (such as push, force-push).  If anyone
>> requires such access, please respond to this email.
>>
>> 2 - You may now delegate the Gerrit OWNER role via the OWNERS file in
>> your project, as supported by the OWNERS plugin documented here:
>> https://gerrit.googlesource.com/plugins/owners/+/refs/heads/master/config.md
>
>In order to accomplish #2, I thought previously investigations yielded
>that everyone needed to be added to have +2 (even thought it was
>meaningless unless also confirmed by the OWNER plugin).  Has this been
>resolved?  Are we going to move everyone to have this?  Or are we going
>to have a global "maintainers group" with +2 abilities?

Thanks Patrick, yes we've overlooked some things.

(Most of) the existing per-project maintainer groups in GitHub already 
have the project owner permission on the corresponding Gerrit project.  
I think the way I thought this would work was that new maintainers being 
added in the OWNERS files would get added to the <xyz>-maintainers group 
and thus get +2, but I've come to realize that isn't what we want.

If I ignore GitHub and Gerrit project owners for a minute, I think the 
ideal setup would be that everyone can leave a +1.  In order for a 
change to be approved, all OWNERS of files touched must give a +1.  We 
completely do away with +2.  No special groups or per-project access 
rules are required for this.

In the proposal I said we'd remove special access to the GitHub 
projects.  So if there are still no objections to that, I think the only 
remaining thing we need to consider is how to do the Gerrit project 
owner permission.  Today, those are done with the <xyz>-maintainer 
groups in GitHub, and per-Gerrit-project access rules assigning the 
owner permission to the GitHub group.  We can continue to do that, but 
it is very appealing to me to just scrap all the groups and Gerrit 
project specific access rules if that is a possibility.  Doing that 
means maintainers today lose their "project owner" access to their 
Gerrit project.  I don't know if anyone is actually using that access.

More information about the openbmc mailing list