On Wed, Aug 08, 2012 at 03:53:35PM -0400, Robert Middleswarth wrote: > On 08/08/2012 03:07 PM, Dan Kenigsberg wrote: > >On Wed, Aug 08, 2012 at 09:58:17AM -0400, Robert Middleswarth wrote: > >>On 08/08/2012 09:50 AM, Dan Kenigsberg wrote: > >>>On Wed, Aug 08, 2012 at 02:55:17PM +0200, Ewoud Kohl van Wijngaarden wrote: > >>>>On Wed, Aug 08, 2012 at 03:48:13PM +0300, Dan Kenigsberg wrote: > >>>>>On Wed, Aug 08, 2012 at 07:47:02AM -0400, Robert Middleswarth wrote: > >>>>>>I have setup patch review on Jenkins.info for newly submitted > >>>>>>patches and it seems to be working pretty well over all but last > >>>>>>night well tweaking the process I broken it for a few min but that > >>>>>>was long enough that about 50 jobs were marked -1 I will be fixing > >>>>>>that today by rerunning the jobs. I am sorry if one of your patches > >>>>>>was dinged and it should be fixed by this time tomorrow. > >>>>>Thanks, Robert, for working on this. It is highly important for me to > >>>>>know that something is going to break the build before taking it in. > >>>>> > >>>>>However, would it be possible to have a repository where we can review > >>>>>the code of the robot? > >>>>It's Gerrit Trigger[1] and the code is on github[2]. > >>>> > >>>>>I think it is important for the robot to be less noisy, and > >>>>>particularly, never give V+1. This task is reserved to humans that > >>>>>actually know what the patch should be doing. > >>>>The V+1 has been fixed. Will give 0 when they pass, -1 when they fail. > >>>> > >>>>>Also, I am not at all sure that the robot is limitting itself to be > >>>>>running code of trustworthy authors. > >>>>Eyal added a feature request for this[3]. This was the result of a > >>>>discussion on the infra mailing list[4]. > >>>As much as I like (and need) this per-commit verification, I think we > >>>should not deploy it before the feature is implemented. > >>> > >>>BTW, Federico suggested to initiate the test only on request (when oVirt > >>>Jenkins CI Server is added as reviewer). This would allow a more silent > >>>start for CI. > >>> > >>>Thanks, > >>>Dan. > >>I already wrote a little bash code to do this outside the plug-in. > >>It will be in place by the end of the day. > >This kind of script is exactly the thing I'd like to be peer-reviewed > >before applied en mass to gerrit changes. Particularly due to the > >security implications. > > > >Regards, > >Dan. > If you are talking about the jenkins app that updates Gerrit that is > has been in use on ovirt-node-devel for some time. As for the > whitelist script that is like 4 lines. > > git log --pretty="%ce" -n 1 > $WORKSPACE/current_author.txt
Are we sure that the top author is good enough? What if a trusted user builds on top of a non-trusted user? Does it mean that the lower commits are automatically trusted? > grep -f $WORKSPACE/current_author.txt $WORKSPACE/jenkins-whitelist.txt > RETVAL=$? > [ $RETVAL -ne 0 ] && curl -u jenkins_bot:xxxxxx $BUILD_URL/stop; > > It is simple and the files are generated outside of the repo so it > should be safe. _______________________________________________ Infra mailing list [email protected] http://lists.ovirt.org/mailman/listinfo/infra
