| 1 |
On 22/04/2021 14:39, Agostino Sarubbo wrote: |
| 2 |
> On giovedì 22 aprile 2021 12:02:20 CEST Michał Górny wrote: |
| 3 |
>> Well, I suppose scanning the dev branch would be preferable over |
| 4 |
>> the master branch. In reality, they are usually only a few hours apart |
| 5 |
>> but it might be useful to know of new breakage in dev before it's merged |
| 6 |
>> to master. |
| 7 |
>> |
| 8 |
>> It would be ideal if you could do a switch when master and dev are |
| 9 |
>> in sync, and just copy the state from master. |
| 10 |
> Hi, |
| 11 |
> |
| 12 |
> I think that your approach could be generally valid but for this use case I'm |
| 13 |
> against because of the following: |
| 14 |
> |
| 15 |
> 1) The approach is valid in cases like our github PRs and the bot that |
| 16 |
> approves the commit. In this case, who moves the commit between branches does |
| 17 |
> not know if the scan has been done or not. |
| 18 |
> |
| 19 |
> 2) I don't see the reason to scan against something that we don't know if will |
| 20 |
> be the same in master branch |
| 21 |
> |
| 22 |
> 3) We are not doing a similar approach for ::gentoo so I don't see why do this |
| 23 |
> for GURU since, after all, it is an overlay |
| 24 |
> |
| 25 |
> 4) Packages in master are supposed to be tested at least from 2 different |
| 26 |
> people (who made the commit in dev and who moves the commit to master) so it |
| 27 |
> means less bugspam |
| 28 |
|
| 29 |
Well, not quite, packages in master have been manually/visually checked |
| 30 |
for obvious (QA) mistakes and have been automatically checked by |
| 31 |
repoman/pkgcheck. In principle the role of the Trusted Contributor is |
| 32 |
first of all to ensure that no malicious commits make it into the master |
| 33 |
branch, as described on the wiki[1]. In practice this means that we also |
| 34 |
do basic QA checks and look at the repoman/pkgcheck results, since we |
| 35 |
are looking at the commit anyway. We do not actually run emerge on the |
| 36 |
ebuild, back in the early days I used to do that, but the amount of |
| 37 |
commits has grown enormously and it is no longer practically possible to |
| 38 |
do this (and here is where the tinderbox comes in handy). |
| 39 |
|
| 40 |
Furthermore, as per [1] we are not supposed to postpone a merge just |
| 41 |
because a commit has QA issues, fails to build or whatever. The only |
| 42 |
situation in which we do not merge a commit, is if it is malicious. QA |
| 43 |
issues or obvious mistakes are reported back to the author, or fixed |
| 44 |
immediately, but they do not disqualify a commit for merging to the |
| 45 |
master branch. |
| 46 |
|
| 47 |
On the matter of running the tinderbox on the master branch or the dev |
| 48 |
branch, I am undecided. It makes sense to do the checks as soon as |
| 49 |
possible and to fix things before they reach the master branch. On the |
| 50 |
other hand there are sometimes very big issues (missing dependencies and |
| 51 |
such) and I am not sure how the tinderbox will behave in these cases. |
| 52 |
Filing bugs for things which the Trusted Contributors can see in |
| 53 |
repoman/pkgcheck (such as missing dependencies) is a waste of cpu power, |
| 54 |
and only serves to increase the number of emails, so if the tinderbox |
| 55 |
would also file reports for these issues I would advise to run the |
| 56 |
tinderbox only on the master branch. (Then there is also the matter to |
| 57 |
consider that in theory the dev branch could contain malicious code, |
| 58 |
whereas the master branch is guaranteed to be free of this. So if the |
| 59 |
tinderbox runs on the dev branch, then in theory a hypothetical |
| 60 |
malicious commit might break the tinderbox.) |
| 61 |
|
| 62 |
Tl;dr Commits are checked, not actually tested. |
| 63 |
|
| 64 |
[1] |
| 65 |
https://wiki.gentoo.org/wiki/Project:GURU/Information_for_Trusted_Contributor |
| 66 |
|
| 67 |
>> One more thing: might be a good idea to consider splitting some |
| 68 |
>> of the 'big' trackers (like CFLAGS) between Gentoo and GURU. I think |
| 69 |
>> solving these bugs in GURU has lower priority than in Gentoo. |
| 70 |
> I think that trackers like CFLAGS/LDFLAGS are here to track how many packages |
| 71 |
> have the problem. I don't see it like (for example) the gcc-porting tracker |
| 72 |
> that gives the idea about how much packages need a fix and how much packages |
| 73 |
> need to be last-rited |
| 74 |
> |
| 75 |
> |
| 76 |
> Agostino |
| 77 |
> |
| 78 |
> |
| 79 |
> |
Archives