Topic on Talk:Gerrit/Privilege policy

There is a problem when no consensus is reached for a request. The policy states that the next step is to refer the matter to TechCom. As noted elsewhere on the talk page, there is no current TechCom equivalent.

This is rarely a problem for privilege requests to mediawiki since the email to wikitech-l is usually sufficient to spur discussion on a task that is unambiguous in its recommendation.

This is a problem for requests to other groups because there may be no discussion whatsoever on the phabricator task.

It could be argued that this is a negative endorsement; however, for abandoned extensions, it may be that few are paying attention.

I'd like to amend the policy to direct people to email wikitech-l in the case that there is no feedback on a task requesting privileges in a non-mediawiki group within the two week period tasks must remain open. And in the case that no objections are raised, to grant the privilege (fail to open).

I'd like to amend the policy to direct people to email wikitech-l in the case that there is no feedback on a task requesting privileges in a non-mediawiki group within the two week period tasks must remain open. And in the case that no objections are raised, to grant the privilege (fail to open).

Should this still be restricted in some way to "known contributors" with some history of activity on the projects, or at least some clear history of participation in the broader FOSS community?

> Should this still be restricted in some way to "known contributors"

@BBearnes (WMF) are you thinking about this as a way to slow down things like the XZ Utils supply chain attack or do you see other justifications for limiting who an abandoned project is passed on to?

I feel personally pretty torn between wanting to help anyone who is motivated to support an otherwise unsupported extension/skin/library/tool and wanting the downstream folks who use that software product to be able to trust that the software will not become malicious. Hopefully it it obvious that in an ideal world we would get both outcomes from every decision. When we are talking about attempts to adopt code where nobody has been able to make contact with the original authors I think that in the abstract I would support any maintainer over no maintainer, but I'm not sure how to condense that feeling into a scoring rubric of some sort for evaluating requests.

Yeah, that was pretty much my thinking. I guess I feel like "any maintainer who's not gonna (for example) backdoor unsuspecting users", but I too am unsure how to most usefully set up rules that best help ensure that.

If a repo is truly abandoned enough for nobody to care then it probably doesn't have any users checking the repo specifically (as opposed to checking the MediaWiki.org page which could be edited by anyone to point to a backdoored repo).