From 88814ef9c5241bb192e5ed6a44cc7addb26e3ede Mon Sep 17 00:00:00 2001 From: "James E. Blair" Date: Tue, 10 Jan 2012 15:25:53 -0800 Subject: [PATCH] Document changes to forge permissions. The main problems with restricting forging of author or committer are around cherry-picking and submitting patches on behalf of third parties. When cherry-picking, normally the Author of a commit will be kept, and the committer changed. That means that to support cherry-picking, we need to allow anyone to forge the author identity, but not the committer id. This change permits that. Note that all contributors are required to sign the CLA. If we allow forging of author identities, we open a hole where a person who has signed the CLA could submit a patch authored by someone who has not. However, in general people are expected to upload their own changes (except for cherry-picking across branches, and those changes have already been uploaded by a person who signed the CLA). So in practice we wouldn't expect a change submitted on behalf of a third party. If we want to support easily cherry-picking, we'll have to accept that and inform developers of the behavioral expectation. At least by not allowing the forging of committer identities, there is still a person who signed the CLA who is "on the hook" for that change. Change-Id: I3893fd75d3dc3f724d5aae036b2108ce75409af8 --- doc/gerrit.rst | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/doc/gerrit.rst b/doc/gerrit.rst index 1c4f715e..52a1ce7e 100644 --- a/doc/gerrit.rst +++ b/doc/gerrit.rst @@ -631,7 +631,7 @@ These permissions try to achieve the high level goals:: refs/* read: anonymous push annotated tag: release managers, ci tools, project bootstrappers - forge author identity: project bootstrappers + forge author identity: project bootstrappers, registered users forge committer identity: project bootstrappers push (w/ force push): project bootstrappers create reference: project bootstrappers, release managers @@ -663,8 +663,6 @@ These permissions try to achieve the high level goals:: -2/+2 opestack-stable-maint -1/+1 registered users label approved (exclusive): 0/+1: opestack-stable-maint - forge author identity: openstack-stable-maint - forge committer identity: openstack-stable-maint refs/meta/config read: project owners @@ -672,8 +670,6 @@ These permissions try to achieve the high level goals:: API Projects (metaproject): refs/* owner: Administrators - forge author identity: openstack-doc-core - forge committer identity: openstack-doc-core refs/heads/* label code review -2/+2: openstack-doc-core @@ -682,8 +678,6 @@ These permissions try to achieve the high level goals:: project foo: refs/* owner: Administrators - forge author identity: foo-core - forge committer identity: foo-core refs/heads/* label code review -2/+2: foo-core