On 08/09/2012 03:30 AM, Dan Kenigsberg wrote:
On Wed, Aug 08, 2012 at 03:53:35PM -0400, Robert Middleswarth wrote:
> On 08/08/2012 03:07 PM, Dan Kenigsberg wrote:
>> On Wed, Aug 08, 2012 at 09:58:17AM -0400, Robert Middleswarth wrote:
>>> On 08/08/2012 09:50 AM, Dan Kenigsberg wrote:
>>>> On Wed, Aug 08, 2012 at 02:55:17PM +0200, Ewoud Kohl van Wijngaarden
wrote:
>>>>> On Wed, Aug 08, 2012 at 03:48:13PM +0300, Dan Kenigsberg wrote:
>>>>>> On Wed, Aug 08, 2012 at 07:47:02AM -0400, Robert Middleswarth
wrote:
>>>>>>> I have setup patch review on Jenkins.info for newly
submitted
>>>>>>> patches and it seems to be working pretty well over all but
last
>>>>>>> night well tweaking the process I broken it for a few min but
that
>>>>>>> was long enough that about 50 jobs were marked -1 I will be
fixing
>>>>>>> that today by rerunning the jobs. I am sorry if one of your
patches
>>>>>>> was dinged and it should be fixed by this time tomorrow.
>>>>>> Thanks, Robert, for working on this. It is highly important for
me to
>>>>>> know that something is going to break the build before taking it
in.
>>>>>>
>>>>>> However, would it be possible to have a repository where we can
review
>>>>>> the code of the robot?
>>>>> It's Gerrit Trigger[1] and the code is on github[2].
>>>>>
>>>>>> I think it is important for the robot to be less noisy, and
>>>>>> particularly, never give V+1. This task is reserved to humans
that
>>>>>> actually know what the patch should be doing.
>>>>> The V+1 has been fixed. Will give 0 when they pass, -1 when they
fail.
>>>>>
>>>>>> Also, I am not at all sure that the robot is limitting itself to
be
>>>>>> running code of trustworthy authors.
>>>>> Eyal added a feature request for this[3]. This was the result of a
>>>>> discussion on the infra mailing list[4].
>>>> As much as I like (and need) this per-commit verification, I think we
>>>> should not deploy it before the feature is implemented.
>>>>
>>>> BTW, Federico suggested to initiate the test only on request (when oVirt
>>>> Jenkins CI Server is added as reviewer). This would allow a more silent
>>>> start for CI.
>>>>
>>>> Thanks,
>>>> Dan.
>>> I already wrote a little bash code to do this outside the plug-in.
>>> It will be in place by the end of the day.
>> This kind of script is exactly the thing I'd like to be peer-reviewed
>> before applied en mass to gerrit changes. Particularly due to the
>> security implications.
>>
>> Regards,
>> Dan.
> If you are talking about the jenkins app that updates Gerrit that is
> has been in use on ovirt-node-devel for some time. As for the
> whitelist script that is like 4 lines.
>
> git log --pretty="%ce" -n 1 > $WORKSPACE/current_author.txt
Are we sure that the top author is good enough?
What if a trusted user builds on top of a non-trusted user? Does it
mean that the lower commits are automatically trusted?
You would assume that is
someone we trusted were to use code from a
non-trusted users they reviewed the code to make sure there wasn't some
code in there to try and hack the system. Once you take the code and
include it you have taken ownership of that code.
Thanks
Robert
> grep -f $WORKSPACE/current_author.txt $WORKSPACE/jenkins-whitelist.txt
> RETVAL=$?
> [ $RETVAL -ne 0 ] && curl -u jenkins_bot:xxxxxx $BUILD_URL/stop;
>
> It is simple and the files are generated outside of the repo so it
> should be safe.
--
Thanks
Robert Middleswarth
@rmiddle (twitter/IRC)