Document changes to forge permissions.

The main problems with restricting forging of author or committer are around cherry-picking and submitting patches on behalf of third parties. When cherry-picking, normally the Author of a commit will be kept, and the committer changed. That means that to support cherry-picking, we need to allow anyone to forge the author identity, but not the committer id. This change permits that. Note that all contributors are required to sign the CLA. If we allow forging of author identities, we open a hole where a person who has signed the CLA could submit a patch authored by someone who has not. However, in general people are expected to upload their own changes (except for cherry-picking across branches, and those changes have already been uploaded by a person who signed the CLA). So in practice we wouldn't expect a change submitted on behalf of a third party. If we want to support easily cherry-picking, we'll have to accept that and inform developers of the behavioral expectation. At least by not allowing the forging of committer identities, there is still a person who signed the CLA who is "on the hook" for that change. Change-Id: I3893fd75d3dc3f724d5aae036b2108ce75409af8
2012-01-10 15:25:53 -08:00
parent 97748ce17e
commit 88814ef9c5
1 changed files with 1 additions and 7 deletions
--- a/doc/gerrit.rst
+++ b/doc/gerrit.rst
@@ -631,7 +631,7 @@ These permissions try to achieve the high level goals::
    refs/*
      read: anonymous
      push annotated tag: release managers, ci tools, project bootstrappers
-      forge author identity: project bootstrappers  
+      forge author identity: project bootstrappers, registered users
      forge committer identity: project bootstrappers  
      push (w/ force push): project bootstrappers  
      create reference: project bootstrappers, release managers
@@ -663,8 +663,6 @@ These permissions try to achieve the high level goals::
        -2/+2 opestack-stable-maint
        -1/+1 registered users
      label approved (exclusive): 0/+1: opestack-stable-maint
-      forge author identity: openstack-stable-maint
-      forge committer identity: openstack-stable-maint

    refs/meta/config
      read: project owners
@@ -672,8 +670,6 @@ These permissions try to achieve the high level goals::
  API Projects (metaproject):
    refs/*
      owner: Administrators
-      forge author identity: openstack-doc-core
-      forge committer identity: openstack-doc-core

    refs/heads/*
      label code review -2/+2: openstack-doc-core
@@ -682,8 +678,6 @@ These permissions try to achieve the high level goals::
  project foo:
    refs/*
      owner: Administrators
-      forge author identity: foo-core
-      forge committer identity: foo-core

    refs/heads/*
      label code review -2/+2: foo-core