I created one: ZOOKEEPER-3968 When running commit script we can add this to the commit message.
- Norbert On Fri, Oct 9, 2020 at 2:03 PM Enrico Olivelli <eolive...@gmail.com> wrote: > Il Ven 9 Ott 2020, 13:51 Norbert Kalmar <nkal...@cloudera.com.invalid> ha > scritto: > > > We could create an umbrella jira for the ones that have not been updated, > > something like "BugBash fixes" and just commit them under it. > > > > Works for me for trivial patches. > Good idea Norbert > > > Enrico > > > > On Sat, Oct 3, 2020 at 10:01 AM Enrico Olivelli <eolive...@gmail.com> > > wrote: > > > > > Tom > > > Generally the only requirement is that you create a JIRA and report the > > > JIRA od in the commit message. > > > Creating a JIRA also helps the contributor to understand/classify the > > > problem and the proposed solution. > > > > > > I forgot to add that there should be some statement in the PR comments > > that > > > tells that the contributor agrees to the ASLv2 terms, at least for the > > > first pull requests. > > > > > > I really appreciate this work of MuseDev > > > Let's try to make it work the best as possible > > > > > > Enrico > > > > > > Il Sab 3 Ott 2020, 07:18 Tom DuBuisson <to...@muse.dev> ha scritto: > > > > > > > > Perhaps Muse.dev can work with us to automate the process of > creating > > > > tickets for the issues that were raised? > > > > > > > > We don't have any way to automatically open matching JIRA issues but > > can > > > > certainly guide the new contributors to the right steps. I'll check > in > > > > with them on their respective PRs. > > > > > > > > On Fri, Oct 2, 2020 at 8:34 AM Rich Bowen <rbo...@rcbowen.com> > wrote: > > > > > > > >> I know you're not asking me, but with my Community Development hat > > on, I > > > >> strenuously encourage you to view this as an opportunity to bring on > > new > > > >> contributors, and couch your response accordingly. Anything that > comes > > > >> across as scolding them for Doing It Wrong is going to leave a bad > > taste > > > >> and possibly lose new contributors, particularly when we invited > them > > to > > > >> participate in this process. We did invite them, and we did point > them > > > >> to the issues, via Muse.dev. Perhaps Muse.dev can work with us to > > > >> automate the process of creating tickets for the issues that were > > > raised? > > > >> > > > >> On 10/2/20 11:26 AM, Enrico Olivelli wrote: > > > >> > Hey ! > > > >> > it looks like the Bug bash has brought a few Pull Requests > > > >> > https://github.com/apache/zookeeper/pulls > > > >> > > > > >> > Unfortunately they are not following the contribution guidelines > > (for > > > >> > instance there is no associated JIRA) > > > >> > > > https://cwiki.apache.org/confluence/display/ZOOKEEPER/HowToContribute > > > - > > > >> > > > > >> > Most of the PR are about trivial fixes, I am not sure if a JIRA is > > > >> deserved. > > > >> > > > > >> > What should we do? > > > >> > My proposal is to ping the contributor in order to obey the guide > > and > > > >> > then finally accept the patches, as Micheal Han did in this patch > > > >> > https://github.com/apache/zookeeper/pull/1470 > > > >> > > > > >> > I don't want to see that patches remaining on github as low > hanging > > > >> > fruit, so it is better that we decide how to work on them, > > > >> > another option is to close them as invalid (It would be a pity > IMHO) > > > >> > > > > >> > Enrico > > > >> > > > > >> > > > > >> > > > > >> > Il giorno lun 28 set 2020 alle ore 15:03 Tom DuBuisson < > > > to...@muse.dev > > > >> > <mailto:to...@muse.dev>> ha scritto: > > > >> > > > > >> > Enrico, > > > >> > That sounds great. We'll get the repo activated. > > > >> > > > > >> > Tom > > > >> > > > > >> > > > > >> > On Sun, Sep 27, 2020, 11:11 PM Enrico Olivelli < > > > eolive...@gmail.com > > > >> > <mailto:eolive...@gmail.com>> wrote: > > > >> > > > > >> > > Tom > > > >> > > Overall I think that we can move forward. > > > >> > > > > > >> > > This thread has been around for a while, there are no > > > objections, > > > >> > every > > > >> > > question has been answered. > > > >> > > > > > >> > > Thank you very much > > > >> > > > > > >> > > I hope this activity will help in growing Zookeeper project > > > both > > > >> > in code > > > >> > > quality and with more contributions, that is to help the > > > >> > community to grow. > > > >> > > > > > >> > > Best regards > > > >> > > > > > >> > > Enrico > > > >> > > > > > >> > > Il Lun 28 Set 2020, 01:27 Tom DuBuisson <to...@muse.dev > > > >> > <mailto:to...@muse.dev>> ha scritto: > > > >> > > > > > >> > > > Norbert, > > > >> > > > > > > >> > > > Yes, you understand that correctly. And those analyzers > > are > > > >> > FindSecBugs, > > > >> > > > Error Prone and Infer. All open source and in moderate > to > > > >> wide use > > > >> > > > already. Only find sec bugs is security specific - Infer > > and > > > >> > Error Prone > > > >> > > > might find security bugs but they are more general > purpose > > in > > > >> > nature. > > > >> > > > > > > >> > > > -Tom > > > >> > > > > > > >> > > > On Sun, Sep 27, 2020 at 3:43 PM Norbert Kalmar > > > >> > > > <nkal...@cloudera.com.invalid> > > > >> > > > wrote: > > > >> > > > > > > >> > > > > Hello Tom, > > > >> > > > > > > > >> > > > > +1 on the initiative, thanks for bringing this to our > > > >> attention. > > > >> > > > > > > > >> > > > > If I understand correctly, there will be no disclosed > > > >> > security issues > > > >> > > > which > > > >> > > > > cannot be found with open source static analyzers. > > > >> > > > > > > > >> > > > > Regards, > > > >> > > > > Norbert > > > >> > > > > > > > >> > > > > > > > >> > > > > On Sun, Sep 27, 2020 at 8:23 AM Szalay-Bekő Máté < > > > >> > > > > szalay.beko.m...@gmail.com <mailto: > > > >> szalay.beko.m...@gmail.com>> > > > >> > > > > wrote: > > > >> > > > > > > > >> > > > > > Hello Guys, > > > >> > > > > > > > > >> > > > > > In general I like the idea, but unfortunately I can > not > > > >> really > > > >> > > > > participate > > > >> > > > > > (either in the coding or in the review) as I have a > few > > > >> > important > > > >> > > > > projects > > > >> > > > > > close to deadline at the moment. > > > >> > > > > > > > > >> > > > > > My only concern is with the security bugs, which I > > don't > > > >> > like to be > > > >> > > > > openly > > > >> > > > > > reported before publishing a release with the fix. > But > > > for > > > >> > any other > > > >> > > > kind > > > >> > > > > > of bugfixes / improvements, I am very positive with > the > > > >> > initiative. > > > >> > > > > > > > > >> > > > > > > > > >> > > > > > Best regards, > > > >> > > > > > Mate > > > >> > > > > > > > > >> > > > > > On Sun, Sep 27, 2020, 07:06 Tom DuBuisson < > > > to...@muse.dev > > > >> > <mailto:to...@muse.dev>> wrote: > > > >> > > > > > > > > >> > > > > > > Enrico et al, > > > >> > > > > > > > > > >> > > > > > > Are there other thoughts on this? It would be > great > > to > > > >> > get setup > > > >> > > > > before > > > >> > > > > > > the bash actually begins. Enrico, lacking other > > voices > > > >> > would you > > > >> > > > like > > > >> > > > > to > > > >> > > > > > > make a final call? > > > >> > > > > > > > > > >> > > > > > > -Tom > > > >> > > > > > > > > > >> > > > > > > On Thu, Sep 24, 2020 at 3:30 AM Enrico Olivelli < > > > >> > > eolive...@gmail.com <mailto:eolive...@gmail.com> > > > >> > > > > > > > >> > > > > > > wrote: > > > >> > > > > > > > > > >> > > > > > > > Tom, > > > >> > > > > > > > Personally I am +1 with this proposal. Thanks for > > > your > > > >> > > > > clarifications. > > > >> > > > > > > > > > > >> > > > > > > > But we should ear opinions from other people in > > this > > > >> list > > > >> > > > > > > > > > > >> > > > > > > > > > > >> > > > > > > > Enrico > > > >> > > > > > > > > > > >> > > > > > > > Il giorno mer 23 set 2020 alle ore 23:51 Tom > > > DuBuisson > > > >> < > > > >> > > > > to...@muse.dev <mailto:to...@muse.dev> > > > >> > > > > > > > > > >> > > > > > > ha > > > >> > > > > > > > scritto: > > > >> > > > > > > > > > > >> > > > > > > > > Enrico, > > > >> > > > > > > > > > > > >> > > > > > > > > On the topic security issues and reporting: > > Muse's > > > >> > default > > > >> > > > > > > configuration > > > >> > > > > > > > > is open source tools and here it is run on open > > > >> source > > > >> > > projects. > > > >> > > > > The > > > >> > > > > > > > > results are thus already available publicly (in > > > this > > > >> > case from > > > >> > > > FSB, > > > >> > > > > > > > Infer, > > > >> > > > > > > > > and Error Prone). Muse doesn't post anything > to > > > >> > GitHub except > > > >> > > in > > > >> > > > > the > > > >> > > > > > > > case > > > >> > > > > > > > > of pull requests and then only if the bug is > > deemed > > > >> > to have > > > >> > > been > > > >> > > > > > > > > "introduced" as part of the PR - meaning it > > > shouldn't > > > >> > be a > > > >> > > > > > > vulnerability > > > >> > > > > > > > in > > > >> > > > > > > > > currently shipped software. > > > >> > > > > > > > > > > > >> > > > > > > > > If there are desires or proposals about more > > > control > > > >> > over bug > > > >> > > > > reports > > > >> > > > > > > in > > > >> > > > > > > > a > > > >> > > > > > > > > convenient, configurable, manner then we'd > really > > > >> > like to dig > > > >> > > in > > > >> > > > > and > > > >> > > > > > > hear > > > >> > > > > > > > > how to help. In case there is more discussion > on > > > >> > this point > > > >> > > I'm > > > >> > > > > > CCing > > > >> > > > > > > > > Andrew who leads Muse's product design. > > > >> > > > > > > > > > > > >> > > > > > > > > -Tom > > > >> > > > > > > > > > > > >> > > > > > > > > On Wed, Sep 23, 2020 at 1:09 PM Enrico > Olivelli < > > > >> > > > > eolive...@gmail.com <mailto:eolive...@gmail.com> > > > >> > > > > > > > > > >> > > > > > > > > wrote: > > > >> > > > > > > > > > > > >> > > > > > > > > > Il Mer 23 Set 2020, 19:02 Tom DuBuisson > > > >> > <to...@muse.dev <mailto:to...@muse.dev>> ha > > > >> > > > > > scritto: > > > >> > > > > > > > > > > > > >> > > > > > > > > > > Enrico, > > > >> > > > > > > > > > > > > > >> > > > > > > > > > > The Muse App requires two main abilities. > > > First > > > >> > is events, > > > >> > > > > such > > > >> > > > > > as > > > >> > > > > > > > > > > notification when pull requests are opened > or > > > >> > updated. > > > >> > > > Second > > > >> > > > > is > > > >> > > > > > > > > > > permission to post comments (which is > always > > > >> > possible for > > > >> > > > > humans > > > >> > > > > > > but > > > >> > > > > > > > > more > > > >> > > > > > > > > > > tightly controlled when the poster > > > authenticates > > > >> as a > > > >> > > github > > > >> > > > > > > > > > application). > > > >> > > > > > > > > > > The repository being public has allowed us > to > > > run > > > >> > the app > > > >> > > and > > > >> > > > > > > observe > > > >> > > > > > > > > > > ErrorProne, Infer, and FindSecBugs all run > > out > > > of > > > >> > the box > > > >> > > and > > > >> > > > > > > without > > > >> > > > > > > > > > > custom configuration. > > > >> > > > > > > > > > > > > > >> > > > > > > > > > > > > >> > > > > > > > > > Makes sense. > > > >> > > > > > > > > > > > > >> > > > > > > > > > One last question from my side > > > >> > > > > > > > > > What about security issues? > > > >> > > > > > > > > > Our policy is to have them reported to > > > >> > > > > > secur...@zookeeper.apache.org > > > >> > <mailto:secur...@zookeeper.apache.org> > > > >> > > > > > > > > > before > > > >> > > > > > > > > > public disclosure > > > >> > > > > > > > > > > > > >> > > > > > > > > > > > > >> > > > > > > > > > > > > >> > > > > > > > > > Enrico > > > >> > > > > > > > > > > > > >> > > > > > > > > > > > > >> > > > > > > > > > > > > >> > > > > > > > > > > Cheers, > > > >> > > > > > > > > > > Tom > > > >> > > > > > > > > > > > > > >> > > > > > > > > > > On Wed, Sep 23, 2020 at 6:35 AM Enrico > > > Olivelli < > > > >> > > > > > > eolive...@gmail.com <mailto:eolive...@gmail.com> > > > >> > > > > > > > > > > > >> > > > > > > > > > > wrote: > > > >> > > > > > > > > > > > > > >> > > > > > > > > > > > Il Mer 23 Set 2020, 00:44 Tom DuBuisson > > > >> > <to...@muse.dev <mailto:to...@muse.dev>> > > > >> > > > ha > > > >> > > > > > > > scritto: > > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > Zookeeper Developers, > > > >> > > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > > >> > > > > > > > > > > > > As part of our sponsorship of > ApacheCon, > > > our > > > >> > company > > > >> > > > > MuseDev > > > >> > > > > > is > > > >> > > > > > > > > > doing a > > > >> > > > > > > > > > > > Bug > > > >> > > > > > > > > > > > > Bash for select Apache projects. We'll > > > bring > > > >> > members of > > > >> > > > the > > > >> > > > > > > > > ApacheCon > > > >> > > > > > > > > > > > > community together to find and fix a > > range > > > of > > > >> > security > > > >> > > > and > > > >> > > > > > > > > > performance > > > >> > > > > > > > > > > > bugs > > > >> > > > > > > > > > > > > during the conference, and gameify the > > > >> > experience with > > > >> > > > > > teams, a > > > >> > > > > > > > > > > > > leaderboard, and prizes. The bash is > open > > > to > > > >> > everyone > > > >> > > > > whether > > > >> > > > > > > > > > attending > > > >> > > > > > > > > > > > the > > > >> > > > > > > > > > > > > conference or not, and our whole dev > team > > > >> > will also be > > > >> > > > > > > > > participating > > > >> > > > > > > > > > to > > > >> > > > > > > > > > > > > help fix as many bugs as we can. > > > >> > > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > > >> > > > > > > > > > > > > We're seeding the bug list with results > > > from > > > >> > Muse, our > > > >> > > > code > > > >> > > > > > > > > analysis > > > >> > > > > > > > > > > > > platform, which runs as a Github App > and > > > >> > comments on > > > >> > > > > possible > > > >> > > > > > > > bugs > > > >> > > > > > > > > as > > > >> > > > > > > > > > > > part > > > >> > > > > > > > > > > > > of the pull request workflow. Here's > an > > > >> > example of > > > >> > > what > > > >> > > > it > > > >> > > > > > > looks > > > >> > > > > > > > > > like: > > > >> > > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > > >> > > > > > > > > > >> https://github.com/curl/curl/pull/5971#discussion_r490252196 > > > >> > > > > > > > > > > > > < > https://github.com/curl/curl/pull/5971> > > > >> > > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > > >> > > > > > > > > > > > > We explored a number of Apache projects > > and > > > >> are > > > >> > > reaching > > > >> > > > > out > > > >> > > > > > > > > because > > > >> > > > > > > > > > > our > > > >> > > > > > > > > > > > > analysis through Muse found some > > > interesting > > > >> > bugs that > > > >> > > > > could > > > >> > > > > > be > > > >> > > > > > > > > fixed > > > >> > > > > > > > > > > > > during the Bash. > > > >> > > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > > >> > > > > > > > > > > > > We're writing to see if you'd be > > interested > > > >> > in having > > > >> > > > your > > > >> > > > > > > > project > > > >> > > > > > > > > > > > included > > > >> > > > > > > > > > > > > in the Bash. Everything is set up on > our > > > end, > > > >> > and if > > > >> > > > you're > > > >> > > > > > > > > > interested, > > > >> > > > > > > > > > > > we > > > >> > > > > > > > > > > > > would need you to say yes on this > > listserv, > > > >> > and we’ll > > > >> > > > work > > > >> > > > > > with > > > >> > > > > > > > the > > > >> > > > > > > > > > > > Apache > > > >> > > > > > > > > > > > > Infrastructure team to grant Muse > access > > to > > > >> > your Github > > > >> > > > > > mirror. > > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > It is a public repo, which kind of access > > > does > > > >> > it need? > > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > Enrico > > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > We'll then > > > >> > > > > > > > > > > > > make sure it's all set-up and ready for > > the > > > >> > Bash. And > > > >> > > of > > > >> > > > > > > course, > > > >> > > > > > > > > > > everyone > > > >> > > > > > > > > > > > > on the project is most welcome to join > > the > > > >> > Bash and > > > >> > > help > > > >> > > > us > > > >> > > > > > > smash > > > >> > > > > > > > > > some > > > >> > > > > > > > > > > > > bugs. > > > >> > > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > > >> > > > > > > > > > > > > -Tom > > > >> > > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > >> > > > > > > > > > > > > >> > > > > > > > > > > > >> > > > > > > > > > > >> > > > > > > > > > >> > > > > > > > > >> > > > > > > > >> > > > > > > >> > > > > > >> > > > > >> > > > >> -- > > > >> Rich Bowen > > > >> rbo...@rcbowen.com > > > >> > > > > > > > > > >
