1 |
On 22/04/2021 14:39, Agostino Sarubbo wrote: |
2 |
> On giovedì 22 aprile 2021 12:02:20 CEST Michał Górny wrote: |
3 |
>> Well, I suppose scanning the dev branch would be preferable over |
4 |
>> the master branch. In reality, they are usually only a few hours apart |
5 |
>> but it might be useful to know of new breakage in dev before it's merged |
6 |
>> to master. |
7 |
>> |
8 |
>> It would be ideal if you could do a switch when master and dev are |
9 |
>> in sync, and just copy the state from master. |
10 |
> Hi, |
11 |
> |
12 |
> I think that your approach could be generally valid but for this use case I'm |
13 |
> against because of the following: |
14 |
> |
15 |
> 1) The approach is valid in cases like our github PRs and the bot that |
16 |
> approves the commit. In this case, who moves the commit between branches does |
17 |
> not know if the scan has been done or not. |
18 |
> |
19 |
> 2) I don't see the reason to scan against something that we don't know if will |
20 |
> be the same in master branch |
21 |
> |
22 |
> 3) We are not doing a similar approach for ::gentoo so I don't see why do this |
23 |
> for GURU since, after all, it is an overlay |
24 |
> |
25 |
> 4) Packages in master are supposed to be tested at least from 2 different |
26 |
> people (who made the commit in dev and who moves the commit to master) so it |
27 |
> means less bugspam |
28 |
|
29 |
Well, not quite, packages in master have been manually/visually checked |
30 |
for obvious (QA) mistakes and have been automatically checked by |
31 |
repoman/pkgcheck. In principle the role of the Trusted Contributor is |
32 |
first of all to ensure that no malicious commits make it into the master |
33 |
branch, as described on the wiki[1]. In practice this means that we also |
34 |
do basic QA checks and look at the repoman/pkgcheck results, since we |
35 |
are looking at the commit anyway. We do not actually run emerge on the |
36 |
ebuild, back in the early days I used to do that, but the amount of |
37 |
commits has grown enormously and it is no longer practically possible to |
38 |
do this (and here is where the tinderbox comes in handy). |
39 |
|
40 |
Furthermore, as per [1] we are not supposed to postpone a merge just |
41 |
because a commit has QA issues, fails to build or whatever. The only |
42 |
situation in which we do not merge a commit, is if it is malicious. QA |
43 |
issues or obvious mistakes are reported back to the author, or fixed |
44 |
immediately, but they do not disqualify a commit for merging to the |
45 |
master branch. |
46 |
|
47 |
On the matter of running the tinderbox on the master branch or the dev |
48 |
branch, I am undecided. It makes sense to do the checks as soon as |
49 |
possible and to fix things before they reach the master branch. On the |
50 |
other hand there are sometimes very big issues (missing dependencies and |
51 |
such) and I am not sure how the tinderbox will behave in these cases. |
52 |
Filing bugs for things which the Trusted Contributors can see in |
53 |
repoman/pkgcheck (such as missing dependencies) is a waste of cpu power, |
54 |
and only serves to increase the number of emails, so if the tinderbox |
55 |
would also file reports for these issues I would advise to run the |
56 |
tinderbox only on the master branch. (Then there is also the matter to |
57 |
consider that in theory the dev branch could contain malicious code, |
58 |
whereas the master branch is guaranteed to be free of this. So if the |
59 |
tinderbox runs on the dev branch, then in theory a hypothetical |
60 |
malicious commit might break the tinderbox.) |
61 |
|
62 |
Tl;dr Commits are checked, not actually tested. |
63 |
|
64 |
[1] |
65 |
https://wiki.gentoo.org/wiki/Project:GURU/Information_for_Trusted_Contributor |
66 |
|
67 |
>> One more thing: might be a good idea to consider splitting some |
68 |
>> of the 'big' trackers (like CFLAGS) between Gentoo and GURU. I think |
69 |
>> solving these bugs in GURU has lower priority than in Gentoo. |
70 |
> I think that trackers like CFLAGS/LDFLAGS are here to track how many packages |
71 |
> have the problem. I don't see it like (for example) the gcc-porting tracker |
72 |
> that gives the idea about how much packages need a fix and how much packages |
73 |
> need to be last-rited |
74 |
> |
75 |
> |
76 |
> Agostino |
77 |
> |
78 |
> |
79 |
> |