commit a61bb6e940ce00f2602d19163e8d410c857a649a
author Edwin Kempin <ekempin@google.com> Fri Apr 16 14:12:21 2021 +0200
committer Edwin Kempin <ekempin@google.com> Wed May 05 09:28:15 2021 +0000
tree aa86f3611f6b008231290225d0eb211dbaeb9ff2
parent 1cd49c8fb3e75eb48f84b19d89dde1c82be4b81b

Apply implicit approvals only when change owner == last patch set uploader

So far implicit approvals are applied on all patch sets that are
uploaded by a code owner. This has some implications that are unexpected
to users. E.g. if a non-code-owner uploads a change and a code owner
edits its commit message, the change gets implicitly code owner approved
(because editing the commit message creates a new patch set that is
uploaded by the code owner, and hence is implicitly code owner
approved).

Applying implicit approvals only based on the change owner (all patch
sets of changes that are owned by a code owner are automatically
approved) is even worse, as a non-code-owner could upload a new patch
set to a change that is owned by a code owner and then get their patch
set implicitly approved by the change owner. This would allow
non-code-onwers to get arbitrary code implicitly code owner approved.

To avoid both issues we now apply implicit code owner approvals only if
a change is owned by a code owner and if the last patch set was uploaded
by the change owner (change owner == last patch set uploader).

This doesn't resolve all security concerns about enabling implicit code
owner approvals, but is much safer than what we have now. It remains an
issue that code owners must be aware of their implicit code owner
approval when creating changes. E.g. if a code owner helps a contributor
to rebase a patch to another branch, they implicitly approve the change
on the other branch (since the code owner is the change owner).

Signed-off-by: Edwin Kempin <ekempin@google.com>
Change-Id: I33d5e7433172847d6ee419a7a17740353cd34a99