commit | a61bb6e940ce00f2602d19163e8d410c857a649a | [log] [tgz] |
---|---|---|
author | Edwin Kempin <ekempin@google.com> | Fri Apr 16 14:12:21 2021 +0200 |
committer | Edwin Kempin <ekempin@google.com> | Wed May 05 09:28:15 2021 +0000 |
tree | aa86f3611f6b008231290225d0eb211dbaeb9ff2 | |
parent | 1cd49c8fb3e75eb48f84b19d89dde1c82be4b81b [diff] |
Apply implicit approvals only when change owner == last patch set uploader So far implicit approvals are applied on all patch sets that are uploaded by a code owner. This has some implications that are unexpected to users. E.g. if a non-code-owner uploads a change and a code owner edits its commit message, the change gets implicitly code owner approved (because editing the commit message creates a new patch set that is uploaded by the code owner, and hence is implicitly code owner approved). Applying implicit approvals only based on the change owner (all patch sets of changes that are owned by a code owner are automatically approved) is even worse, as a non-code-owner could upload a new patch set to a change that is owned by a code owner and then get their patch set implicitly approved by the change owner. This would allow non-code-onwers to get arbitrary code implicitly code owner approved. To avoid both issues we now apply implicit code owner approvals only if a change is owned by a code owner and if the last patch set was uploaded by the change owner (change owner == last patch set uploader). This doesn't resolve all security concerns about enabling implicit code owner approvals, but is much safer than what we have now. It remains an issue that code owners must be aware of their implicit code owner approval when creating changes. E.g. if a code owner helps a contributor to rebase a patch to another branch, they implicitly approve the change on the other branch (since the code owner is the change owner). Signed-off-by: Edwin Kempin <ekempin@google.com> Change-Id: I33d5e7433172847d6ee419a7a17740353cd34a99
This plugin provides support for defining code owners for files in a repository.
If the code-owners plugin is enabled, changes can only be submitted if all touched files are covered by approvals from code owners.
Also see resources/Documentation/about.md.
IMPORTANT: Before installing/enabling the plugin follow the instructions from the setup guide, see resources/Documentation/setup-guide.md.