[vdsm] Jenkins and Gerrit.

Robert Middleswarth robert at middleswarth.net
Thu Aug 9 13:03:38 UTC 2012


On 08/09/2012 03:30 AM, Dan Kenigsberg wrote:
> On Wed, Aug 08, 2012 at 03:53:35PM -0400, Robert Middleswarth wrote:
>> On 08/08/2012 03:07 PM, Dan Kenigsberg wrote:
>>> On Wed, Aug 08, 2012 at 09:58:17AM -0400, Robert Middleswarth wrote:
>>>> On 08/08/2012 09:50 AM, Dan Kenigsberg wrote:
>>>>> On Wed, Aug 08, 2012 at 02:55:17PM +0200, Ewoud Kohl van Wijngaarden wrote:
>>>>>> On Wed, Aug 08, 2012 at 03:48:13PM +0300, Dan Kenigsberg wrote:
>>>>>>> On Wed, Aug 08, 2012 at 07:47:02AM -0400, Robert Middleswarth wrote:
>>>>>>>> I have setup patch review on Jenkins.info for newly submitted
>>>>>>>> patches and it seems to be working pretty well over all but last
>>>>>>>> night well tweaking the process I broken it for a few min but that
>>>>>>>> was long enough that about 50 jobs were marked -1 I will be fixing
>>>>>>>> that today by rerunning the jobs.  I am sorry if one of your patches
>>>>>>>> was dinged and it should be fixed by this time tomorrow.
>>>>>>> Thanks, Robert, for working on this. It is highly important for me to
>>>>>>> know that something is going to break the build before taking it in.
>>>>>>>
>>>>>>> However, would it be possible to have a repository where we can review
>>>>>>> the code of the robot?
>>>>>> It's Gerrit Trigger[1] and the code is on github[2].
>>>>>>
>>>>>>> I think it is important for the robot to be less noisy, and
>>>>>>> particularly, never give V+1. This task is reserved to humans that
>>>>>>> actually know what the patch should be doing.
>>>>>> The V+1 has been fixed. Will give 0 when they pass, -1 when they fail.
>>>>>>
>>>>>>> Also, I am not at all sure that the robot is limitting itself to be
>>>>>>> running code of trustworthy authors.
>>>>>> Eyal added a feature request for this[3]. This was the result of a
>>>>>> discussion on the infra mailing list[4].
>>>>> As much as I like (and need) this per-commit verification, I think we
>>>>> should not deploy it before the feature is implemented.
>>>>>
>>>>> BTW, Federico suggested to initiate the test only on request (when oVirt
>>>>> Jenkins CI Server is added as reviewer). This would allow a more silent
>>>>> start for CI.
>>>>>
>>>>> Thanks,
>>>>> Dan.
>>>> I already wrote a little bash code to do this outside the plug-in.
>>>> It will be in place by the end of the day.
>>> This kind of script is exactly the thing I'd like to be peer-reviewed
>>> before applied en mass to gerrit changes. Particularly due to the
>>> security implications.
>>>
>>> Regards,
>>> Dan.
>> If you are talking about the jenkins app that updates Gerrit that is
>> has been in use on ovirt-node-devel for some time. As for the
>> whitelist script that is like 4 lines.
>>
>> git log --pretty="%ce" -n 1 >  $WORKSPACE/current_author.txt
> Are we sure that the top author is good enough?
> What if a trusted user builds on top of a non-trusted user? Does it
> mean that the lower commits are automatically trusted?
You would assume that is someone we trusted were to use code from a 
non-trusted users they reviewed the code to make sure there wasn't some 
code in there to try and hack the system.  Once you take the code and 
include it you have taken ownership of that code.

Thanks
Robert
>
>> grep -f $WORKSPACE/current_author.txt $WORKSPACE/jenkins-whitelist.txt
>> RETVAL=$?
>> [ $RETVAL -ne 0 ] && curl -u jenkins_bot:xxxxxx $BUILD_URL/stop;
>>
>> It is simple and the files are generated outside of the repo so it
>> should be safe.


-- 
Thanks
Robert Middleswarth
@rmiddle (twitter/IRC)




More information about the Infra mailing list