Hi JGit developers,
As part of a postmortem after an outage, some colleagues and I were noticing that more changes in JGit are landing with only self-+2 recently, which leads to fewer people understanding how the relevant code works. I can understand the motivation for that - it's hard to get a reviewer and sometimes a change is obviously good. But it also has downsides in terms of that kind of broader understanding of the code, helping new reviewers ramp up, and reliability and security (insider risk) consequences.
So I'd like to propose the following changes:
1. Require that all changes have at least a Code-Review+1 from a recognized person other than the uploader. I don't have strong opinions about what "recognized person" would mean here - from a security perspective, it's nice if it comes from some list that prevents a compromised committer from creating a sockpuppet account to do that, but the rest of the motivations would already be satisfied by "any separate account" (since a committer is always involved in a change and can notice if they seem to be the same person).
2. Allow uploaders to hit the submit button to merge a change if it's been sufficiently reviewed. This would reduce friction and compensate for the productivity loss from (1).
3. Encourage more reviewers to step up, to reduce the friction of (1). Provide some way to ask for more reviewer attention on a change - is this mailing list the best place for that, or do we want to use e.g. some IRC channel as well?
These are just my initial thoughts. Thoughts and improvements welcome.
What do you think?
Sincerely,
Jonathan