Re: Automating Package Review (Was: fedora-review -- do we have a maintainer?)
On Tue, 2018-12-18 at 15:16 -0500, Neal Gompa wrote: > On Tue, Dec 18, 2018 at 3:10 PM Sérgio Basto > wrote: > > > > Hi, (sorry for duplicates I sent from wrong email before) > > > > Nothing happened last week . > > > > Can you add me to https://pagure.io/FedoraReview/ and to > > https://src.fedoraproject.org/rpms/fedora-review please . > > > > My fas user is sergiomb , people want revert mock configurations of > > RPMFusion because is not working with current release , we have a > > non > > functional fedora-review in repos , so IMHO this is the most urgent > > task to do . > > > > It doesn't matter at the moment. Currently I can't merge *any* PRs in > fedora-review, due to a bug in Pagure[1]. > > I've already got three PRs slated for merge, and once those are out, > I'll make a release. > > [1]: https://pagure.io/pagure/issue/4142 Friend let me do the work, for that I need acls . Thanks -- Sérgio M. B. ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Re: Automating Package Review (Was: fedora-review -- do we have a maintainer?)
On Tue, Dec 18, 2018 at 3:10 PM Sérgio Basto wrote: > > Hi, (sorry for duplicates I sent from wrong email before) > > Nothing happened last week . > > Can you add me to https://pagure.io/FedoraReview/ and to > https://src.fedoraproject.org/rpms/fedora-review please . > > My fas user is sergiomb , people want revert mock configurations of > RPMFusion because is not working with current release , we have a non > functional fedora-review in repos , so IMHO this is the most urgent > task to do . > It doesn't matter at the moment. Currently I can't merge *any* PRs in fedora-review, due to a bug in Pagure[1]. I've already got three PRs slated for merge, and once those are out, I'll make a release. [1]: https://pagure.io/pagure/issue/4142 -- 真実はいつも一つ!/ Always, there's only one truth! ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Re: Automating Package Review (Was: fedora-review -- do we have a maintainer?)
Hi, (sorry for duplicates I sent from wrong email before) Nothing happened last week . Can you add me to https://pagure.io/FedoraReview/ and to https://src.fedoraproject.org/rpms/fedora-review please . My fas user is sergiomb , people want revert mock configurations of RPMFusion because is not working with current release , we have a non functional fedora-review in repos , so IMHO this is the most urgent task to do . Thanks On Tue, 2018-12-11 at 16:36 -0500, Neal Gompa wrote: > On Tue, Dec 11, 2018 at 10:30 AM Sérgio Basto < > ser...@serjux.com> wrote: > > > > Hi, > > > > Any news ? > > > > "But I guess nothing's getting released, for some reason? fedora- > > review has been on version 0.6.1 since May 2016; all package > > activity since then has been housekeeping rebuilds. " > > > > may you add me as admin to Fedora-review package ? to release a new > > version . > > > > There's really one remaining thing for a new release of FedoraReview: > porting to Python 3. There's a WIP PR here: > https://pagure.io/FedoraReview/pull-request/312 > > If it doesn't budge this week, I'm hoping to take a crack at it in > the > next week or so and try to pull it over the finish line. > > -- > 真実はいつも一つ!/ Always, there's only one truth! > ___ > devel mailing list -- devel@lists.fedoraproject.org > To unsubscribe send an email to devel-le...@lists.fedoraproject.org > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: > https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org -- Sérgio M. B. ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Re: Automating Package Review (Was: fedora-review -- do we have a maintainer?)
On Tue, 2018-12-11 at 16:36 -0500, Neal Gompa wrote: > On Tue, Dec 11, 2018 at 10:30 AM Sérgio Basto > wrote: > > > > Hi, > > > > Any news ? > > > > "But I guess nothing's getting released, for some reason? fedora- > > review has been on version 0.6.1 since May 2016; all package > > activity since then has been housekeeping rebuilds. " > > > > may you add me as admin to Fedora-review package ? to release a new > > version . > > > > There's really one remaining thing for a new release of FedoraReview: > porting to Python 3. There's a WIP PR here: > https://pagure.io/FedoraReview/pull-request/312 > > If it doesn't budge this week, I'm hoping to take a crack at it in > the > next week or so and try to pull it over the finish line. Hi, Neal Gompa I also would like be admin in https://pagure.io/FedoraReview , can youadd me ? please. We have lots of pull request to review . Version 0.6.1 is not tagged , in resume lots of work to do . Thanks. > -- > 真実はいつも一つ!/ Always, there's only one truth! > ___ > devel mailing list -- devel@lists.fedoraproject.org > To unsubscribe send an email to devel-le...@lists.fedoraproject.org > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelin > es > List Archives: https://lists.fedoraproject.org/archives/list/devel@li > sts.fedoraproject.org -- Sérgio M. B. ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Re: Automating Package Review (Was: fedora-review -- do we have a maintainer?)
On Tue, Dec 11, 2018 at 10:30 AM Sérgio Basto wrote: > > Hi, > > Any news ? > > "But I guess nothing's getting released, for some reason? fedora-review has > been on version 0.6.1 since May 2016; all package activity since then has > been housekeeping rebuilds. " > > may you add me as admin to Fedora-review package ? to release a new version . > There's really one remaining thing for a new release of FedoraReview: porting to Python 3. There's a WIP PR here: https://pagure.io/FedoraReview/pull-request/312 If it doesn't budge this week, I'm hoping to take a crack at it in the next week or so and try to pull it over the finish line. -- 真実はいつも一つ!/ Always, there's only one truth! ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Re: Automating Package Review (Was: fedora-review -- do we have a maintainer?)
Hi, Any news ? "But I guess nothing's getting released, for some reason? fedora-review has been on version 0.6.1 since May 2016; all package activity since then has been housekeeping rebuilds. " may you add me as admin to Fedora-review package ? to release a new version . Thanks On Sat, 2018-08-18 at 06:12 -0400, Stephen Gallagher wrote: > On Fri, Aug 17, 2018 at 2:08 PM Richard W.M. Jones > wrote: > > While I agree that this is a good idea, I have one note of caution: > > > > What's to stop someone adding a malicious package which did > > something > > > > like ‘Provides: glibc’ and subsequently infects everyone's machine? > > > > I think we'd want to consider the security implications of > > accepting > > > > packages after only automated review. > > > > > > Literally nothing prevents a packager from doing this *today*. As > soon as package-review is complete and the dist-git repo is created, > the packager can make whatever changes they want and push it with > impunity. > Let’s be wary of the Nirvana Fallacy while discussing this: a perfect > solution doesn’t need to be found before implementing one that > improves on the current state. > That being said, it wouldn’t be particularly difficult for the review > script to run `dnf repoquery --whatprovides` for everything this new > package provides and fail if it replaces something else without > Obsoletes. > > > > Rich. > > > > > > > > ___ > > devel mailing list -- devel@lists.fedoraproject.org > > To unsubscribe send an email to devel-le...@lists.fedoraproject.org > > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidel > > ines > > List Archives: https://lists.fedoraproject.org/archives/list/devel@ > > lists.fedoraproject.org/message/CWZEBZ5ND23U4TKAG3L3Z37CYSV6GQAY/ -- Sérgio M. B. ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Re: Automating Package Review (Was: fedora-review -- do we have a maintainer?)
To answer your question solely because I don't like FUD driven phears monger int discussions RPM based depsolvers select packages based on heuristics, including what is already installed. Any malicious package that had Provides: glibc would most likely be ignored because glibc is already installed. ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/message/5OIFLSJAWO5OTVHNPAT62Z32IWE3BOG2/
Re: Automating Package Review (Was: fedora-review -- do we have a maintainer?)
On Fri, Aug 17, 2018 at 2:08 PM Richard W.M. Jones wrote: > > While I agree that this is a good idea, I have one note of caution: > What's to stop someone adding a malicious package which did something > like ‘Provides: glibc’ and subsequently infects everyone's machine? > I think we'd want to consider the security implications of accepting > packages after only automated review. > Literally nothing prevents a packager from doing this *today*. As soon as package-review is complete and the dist-git repo is created, the packager can make whatever changes they want and push it with impunity. Let’s be wary of the Nirvana Fallacy while discussing this: a perfect solution doesn’t need to be found before implementing one that improves on the current state. That being said, it wouldn’t be particularly difficult for the review script to run `dnf repoquery --whatprovides` for everything this new package provides and fail if it replaces something else without Obsoletes. > Rich. > > -- > Richard Jones, Virtualization Group, Red Hat > http://people.redhat.com/~rjones > Read my programming and virtualization blog: http://rwmj.wordpress.com > virt-builder quickly builds VMs from scratch > http://libguestfs.org/virt-builder.1.html > ___ > devel mailing list -- devel@lists.fedoraproject.org > To unsubscribe send an email to devel-le...@lists.fedoraproject.org > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/message/YQDW7BJDV46ZBW5VEJU6UKK3JSA2D4QO/ > ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/message/CWZEBZ5ND23U4TKAG3L3Z37CYSV6GQAY/
Re: Automating Package Review (Was: fedora-review -- do we have a maintainer?)
On Fri, Aug 17, 2018, 20:53 Richard W.M. Jones wrote: > > While I agree that this is a good idea, I have one note of caution: > What's to stop someone adding a malicious package which did something > like ‘Provides: glibc’ and subsequently infects everyone's machine? > I think we'd want to consider the security implications of accepting > packages after only automated review. > I agree. I think a pair of human eyes will have to look at package submissions at least until we have a sufficiently advanced FPC AI to do it ;) However, I think using automated checks for existing packages would be a nice thing (although fedora-review isn't suited to do that right now, and is out of sync with current guidelines). Fabio > Rich. > > -- > Richard Jones, Virtualization Group, Red Hat > http://people.redhat.com/~rjones > Read my programming and virtualization blog: http://rwmj.wordpress.com > virt-builder quickly builds VMs from scratch > http://libguestfs.org/virt-builder.1.html > ___ > devel mailing list -- devel@lists.fedoraproject.org > To unsubscribe send an email to devel-le...@lists.fedoraproject.org > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/message/YQDW7BJDV46ZBW5VEJU6UKK3JSA2D4QO/ > ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/message/WN2GBA2SWXYVTY24FWBG53DILWV4BHDI/
Re: Automating Package Review (Was: fedora-review -- do we have a maintainer?)
While I agree that this is a good idea, I have one note of caution: What's to stop someone adding a malicious package which did something like ‘Provides: glibc’ and subsequently infects everyone's machine? I think we'd want to consider the security implications of accepting packages after only automated review. Rich. -- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones Read my programming and virtualization blog: http://rwmj.wordpress.com virt-builder quickly builds VMs from scratch http://libguestfs.org/virt-builder.1.html ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/message/YQDW7BJDV46ZBW5VEJU6UKK3JSA2D4QO/
Re: Automating Package Review (Was: fedora-review -- do we have a maintainer?)
On Thu, Aug 16, 2018 at 4:09 PM, Stephen Gallagher wrote: > I'd *really* like to see us get to a point where package review is > fully-automated. Basically we could just have a web-service that you pass a > URL to an SRPM plus authenticate with your FAS account and it will perform > all of the validity checks and if they all pass would go ahead and request > the branches for you and import the SRPM. > > Once this is fully automated, we can then *also* add the same checks to CI > (taskotron, OSCI or whatever) so that on each build it gets rerun, which > will allow us to help reduce the rate of packages falling out of compliance > (as well as being updated whenever the checks get made more comprehensive). > > Historically, we've had human review mainly to protect against two things, > bundling and unacceptable licenses. In both of these cases, I'd like for us > to move towards a culture of assuming goodwill on behalf of our packagers. > Most of the packagers in Fedora have been doing it for a long time and know > what is and is not acceptable. Optimizing for the minority case is wasteful, > especially when it adds hurdles and delays to getting software delivered. Also (at least in my experience), generally licensing issues get caught by a human inspecting the output of "licensecheck", which fedora-review currently runs automatically anyway. If the automated review process did this and showed the results to the packager, I bet we would catch a lot of the licensing/bundling problems. Anyway, I really like this idea. Maybe we should still require quasi-manual reviews for new contributors as part of the sponsorship process, though? Ben Rosser ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/message/TH7WI36C373Y65YOK5LUXHMCGBFRB5TG/
Re: Automating Package Review (Was: fedora-review -- do we have a maintainer?)
On Thu, Aug 16, 2018 at 11:09 PM Neal Gompa wrote: > On Thu, Aug 16, 2018 at 5:04 PM Stephen Gallagher > wrote: > > > > > > > > On Thu, Aug 16, 2018 at 8:30 AM Michal Novotny wrote: > >> > >> On Thu, Aug 16, 2018 at 10:49 AM Zbigniew Jędrzejewski-Szmek < > zbys...@in.waw.pl> wrote: > >>> > >>> f-r currently fails to build (#1603956), it has a bunch of bugs open > [1] > >>> and many issues and unhandled pull requests in the upstream repo [2, > 3]. > >>> The last upstream commit was 2 years ago. > >>> > >>> f-r has is annoyingly outdated and gives often outright bad advice > >>> (for example about BR:gcc or BR:g++). The situation would be > significantly > >>> improved if the outstanding PRs were merged. > >>> > >>> f-r is also python2-only now, which will be a problem soon since > >>> support for python2 is waning [4]. > >>> > >>> Is there any hope of upstream and downstream activity on f-r? > >> > >> > >> I was thinking about getting the fedora-review checks rewritten into > the standard Test interface > >> ( > https://qa.fedoraproject.org/docs/libtaskotron/latest/standard-test-interface.html) > so that they > >> can be run in Taskotron. We can also just probably run one big > fedora-review check from > >> a taskotron test, well, this just came to my mind recently, getting the > actual solution ready > >> might take a little bit of time. > >> ' > > > > > > > > I'd *really* like to see us get to a point where package review is > fully-automated. Basically we could just have a web-service that you pass a > URL to an SRPM plus authenticate with your FAS account and it will perform > all of the validity checks and if they all pass would go ahead and request > the branches for you and import the SRPM. > > > > Once this is fully automated, we can then *also* add the same checks to > CI (taskotron, OSCI or whatever) so that on each build it gets rerun, which > will allow us to help reduce the rate of packages falling out of compliance > (as well as being updated whenever the checks get made more comprehensive). > > > > Historically, we've had human review mainly to protect against two > things, bundling and unacceptable licenses. In both of these cases, I'd > like for us to move towards a culture of assuming goodwill on behalf of our > packagers. Most of the packagers in Fedora have been doing it for a long > time and know what is and is not acceptable. Optimizing for the minority > case is wasteful, especially when it adds hurdles and delays to getting > software delivered. > > > > I think what we should instead do is allow things through immediately > following automated review and just assume that those few cases that slip > through that should not will get handled after the fact as soon as they are > noticed (either by someone noticing or an improvement in the automated tool > discovering the problem). > > > > I feel strongly that automated, continuous review would be of far > greater value to Fedora than front-loading the review process the way we > have been doing (which serves mostly to discourage people from even > starting). > > I fully agree with this, which is why Tom (Cc'd to this email) and I > have been sketching out a plan to start moving towards this. > > It won't be particularly easy, but we're looking at a step-by-step > approach to get there. However, if more people are interested in > contributing to make the end-goal possible, we might be able to get > there more quickly. > Copr team is willing to help. I think my colleagues will agree with me. clime > > > > -- > 真実はいつも一つ!/ Always, there's only one truth! > ___ > devel mailing list -- devel@lists.fedoraproject.org > To unsubscribe send an email to devel-le...@lists.fedoraproject.org > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/message/G2P5KSN5AGQP4DTGBVQXP5627JB347PY/ > ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/message/IXQK6VKO43J67KZLM7X4DY5C32VAEQ4U/
Re: Automating Package Review (Was: fedora-review -- do we have a maintainer?)
On Thu, Aug 16, 2018 at 5:04 PM Stephen Gallagher wrote: > > > > On Thu, Aug 16, 2018 at 8:30 AM Michal Novotny wrote: >> >> On Thu, Aug 16, 2018 at 10:49 AM Zbigniew Jędrzejewski-Szmek >> wrote: >>> >>> f-r currently fails to build (#1603956), it has a bunch of bugs open [1] >>> and many issues and unhandled pull requests in the upstream repo [2, 3]. >>> The last upstream commit was 2 years ago. >>> >>> f-r has is annoyingly outdated and gives often outright bad advice >>> (for example about BR:gcc or BR:g++). The situation would be significantly >>> improved if the outstanding PRs were merged. >>> >>> f-r is also python2-only now, which will be a problem soon since >>> support for python2 is waning [4]. >>> >>> Is there any hope of upstream and downstream activity on f-r? >> >> >> I was thinking about getting the fedora-review checks rewritten into the >> standard Test interface >> (https://qa.fedoraproject.org/docs/libtaskotron/latest/standard-test-interface.html) >> so that they >> can be run in Taskotron. We can also just probably run one big fedora-review >> check from >> a taskotron test, well, this just came to my mind recently, getting the >> actual solution ready >> might take a little bit of time. >> ' > > > > I'd *really* like to see us get to a point where package review is > fully-automated. Basically we could just have a web-service that you pass a > URL to an SRPM plus authenticate with your FAS account and it will perform > all of the validity checks and if they all pass would go ahead and request > the branches for you and import the SRPM. > > Once this is fully automated, we can then *also* add the same checks to CI > (taskotron, OSCI or whatever) so that on each build it gets rerun, which will > allow us to help reduce the rate of packages falling out of compliance (as > well as being updated whenever the checks get made more comprehensive). > > Historically, we've had human review mainly to protect against two things, > bundling and unacceptable licenses. In both of these cases, I'd like for us > to move towards a culture of assuming goodwill on behalf of our packagers. > Most of the packagers in Fedora have been doing it for a long time and know > what is and is not acceptable. Optimizing for the minority case is wasteful, > especially when it adds hurdles and delays to getting software delivered. > > I think what we should instead do is allow things through immediately > following automated review and just assume that those few cases that slip > through that should not will get handled after the fact as soon as they are > noticed (either by someone noticing or an improvement in the automated tool > discovering the problem). > > I feel strongly that automated, continuous review would be of far greater > value to Fedora than front-loading the review process the way we have been > doing (which serves mostly to discourage people from even starting). I fully agree with this, which is why Tom (Cc'd to this email) and I have been sketching out a plan to start moving towards this. It won't be particularly easy, but we're looking at a step-by-step approach to get there. However, if more people are interested in contributing to make the end-goal possible, we might be able to get there more quickly. -- 真実はいつも一つ!/ Always, there's only one truth! ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/message/G2P5KSN5AGQP4DTGBVQXP5627JB347PY/
