| opendevreview | James E. Blair proposed openstack/project-config master: Temporarily stop loading nodesets from zuul-providers https://review.opendev.org/c/openstack/project-config/+/947605 | 15:46 |
|---|---|---|
| opendevreview | James E. Blair proposed openstack/project-config master: Use zuul-providers for nodesets in opendev/zuul tenants https://review.opendev.org/c/openstack/project-config/+/947607 | 15:49 |
| opendevreview | Merged openstack/project-config master: Temporarily stop loading nodesets from zuul-providers https://review.opendev.org/c/openstack/project-config/+/947605 | 16:30 |
| sean-k-mooney | fungi: is https://docs.opendev.org/opendev/infra-manual/latest/creators.html still up to date? vkmc is toing ot be on pto for a few weeks, so il likely proposed the patches to create teh new promethous plugin repo under telemetry instead | 16:46 |
| sean-k-mooney | we will also need some xstatic packages at least for now | 16:47 |
| clarkb | yes it should be | 16:47 |
| sean-k-mooney | i need ot check with horizon and telemetry where those should be | 16:47 |
| clarkb | the process hasn't changed in a long time | 16:47 |
| sean-k-mooney | ya i didnt think it had just wanted to make sure before i start pushing things | 16:47 |
| sean-k-mooney | its on my todo list for tuesday | 16:48 |
| fungi | sean-k-mooney: sure, i think https://review.opendev.org/946742 followed that a week ago to create the new aetos repo for the telemetry team | 16:48 |
| sean-k-mooney | ya i saw that in the list of recent reviews | 16:48 |
| sean-k-mooney | fungi: clarkb: it might be coverd but when i create the pypi project and give openstackci owner right the last step is removing my self right | 16:51 |
| sean-k-mooney | ah ya its in the doc | 16:51 |
| clarkb | sean-k-mooney: thats openstack policy (the jobs and stuff don't actually care) but yes my recollection is that individuals should drop their ownership | 16:51 |
| fungi | sean-k-mooney: creating a project on pypi should no longer be necessary actually, and the process for attempting to do so is painful/convoluted | 16:51 |
| clarkb | oh right they stopped needing that | 16:52 |
| fungi | you should be able to just skip that step and let it get auto-created the first time a (pre)release is tagged | 16:52 |
| sean-k-mooney | i know we have been trying to harden who can alcutlly push to pypi | 16:52 |
| sean-k-mooney | oh ok | 16:52 |
| sean-k-mooney | that a bonus | 16:52 |
| fungi | pypi admins actually consider pre-creation of projects to be namesquatting thse days | 16:52 |
| sean-k-mooney | so will the project get creatred when we try to do the first release | 16:53 |
| fungi | and nwe projects on pypi are autocreated at first upload | 16:53 |
| fungi | s/nwe/new/ | 16:53 |
| sean-k-mooney | cool | 16:53 |
| sean-k-mooney | we still need to create the launchpad tracker by hand and update the permisions right | 16:54 |
| fungi | yes | 16:55 |
| fungi | unless you plan to reuse/share an existing one | 16:55 |
| sean-k-mooney | i tough you were going to say unless you want ot use storyboard | 16:56 |
| sean-k-mooney | we will probaly want a seperate one for the horizon plugin but im not sure about the xtatic packages | 16:57 |
| sean-k-mooney | we might not need one for those | 16:57 |
| fungi | i would recommend looking at how the other plugins and xstatic packages do it, and then make this one similar | 16:59 |
| opendevreview | Merged openstack/project-config master: Use zuul-providers for nodesets in opendev/zuul tenants https://review.opendev.org/c/openstack/project-config/+/947607 | 16:59 |
| sean-k-mooney | fungi: yep ill do that | 16:59 |
| sean-k-mooney | i dont really want to boil the ocean with horizon but i really wish xstatic was not required but maybe we can move in that direction over time | 17:00 |
| sean-k-mooney | i know this was a topic in the tc sessions too | 17:00 |
| clarkb | I mean technically it isn't required. Plenty of projects avoid it | 17:00 |
| sean-k-mooney | its not require by openstack | 17:01 |
| clarkb | but horizon relies on it so not using it for a horizon plugin is likely a huge pile of work | 17:01 |
| sean-k-mooney | actully its not | 17:01 |
| sean-k-mooney | well not for a plugin | 17:01 |
| sean-k-mooney | so horizons docs say you shoudl create xstatic packages | 17:01 |
| sean-k-mooney | in pass summit sessions when angular was beeing added the core team said it would not be required going forward | 17:02 |
| fungi | yeah, as we've discussed before, it would be lovely to just switch to something like yarnpkg/berry to pull the horizon/plugin javascript dependencies into the expected location at build or install time and stop shipping our own copies of those files at all | 17:02 |
| sean-k-mooney | but they never updated the docs and those folks have moved on | 17:02 |
| sean-k-mooney | ya fo right now i started with just https://github.com/SeanMooney/grian-horizon-plugin/blob/master/grian_horizon_plugin/static/vendor/get_vendor.sh | 17:02 |
| sean-k-mooney | but obviously that does nto scale | 17:03 |
| sean-k-mooney | i looked at how zuul does it and that looked interesting | 17:03 |
| fungi | the theory behind the xstatic packags was that we were including convenience copies of libs like jquery with the expectation that downstream distros would rip that out and replace it with a pointer to their own jquery package or whatever. but instead distros are actually making separate packages of our xstatic packages with verbatim copies of the js content we ship | 17:03 |
| sean-k-mooney | but i did not understand it well enjoy to suggest doign that in horizon | 17:03 |
| sean-k-mooney | i think debian does replace it with a symlink | 17:04 |
| sean-k-mooney | but i think redhat just embded it ya | 17:04 |
| * fungi checks... | 17:04 | |
| sean-k-mooney | distors in general dont really want to have to package javascript if they can avoid it | 17:05 |
| fungi | but yes, that means if we ship an xstatic-jquery with known vulnerabilities in the included jquery version, then that's ending up on users' systems | 17:05 |
| fungi | https://packages.debian.org/sid/all/python3-xstatic-jquery/filelist | 17:06 |
| fungi | those are not symlinks | 17:06 |
| sean-k-mooney | oh ok its a direct embded | 17:06 |
| fungi | yes, exactly what we didn't want happening | 17:06 |
| clarkb | I suspect the risk to the debian install is honestly low | 17:06 |
| clarkb | the main risk is to anyone running horizon or interacting with it as a client | 17:06 |
| fungi | now we're (openstack) responsible for vulnerabilities in jquery | 17:06 |
| sean-k-mooney | ya. it also kind of breaks the one version rule for debain | 17:07 |
| fungi | it does indeed at that | 17:08 |
| sean-k-mooney | like we ship very old veriosn fo those packages which honestly no one should be using btu the javascript packaging ecosystem is well special | 17:08 |
| sean-k-mooney | downstream we are buildign that form the same package source i.e. the jquery package tar that is used for pypi | 17:14 |
| sean-k-mooney | or not... | 17:14 |
| sean-k-mooney | we are uisng an older release... because of course we are | 17:16 |
| sean-k-mooney | our downstream is based on antelope so we are still using the version used in horizon form the upper constratis form 2023.1 | 17:18 |
| sean-k-mooney | but i guess that is at least the verson that horizon was tested with | 17:18 |
| fungi | and maybe hopefully patched with backported jquery security fixes | 17:19 |
| fungi | (at least that's what's supposed to happen in distro-land) | 17:20 |
| sean-k-mooney | one would hope | 17:21 |
| opendevreview | Dmitriy Rabotyagov proposed openstack/project-config master: Move OSA sync to integrated repository https://review.opendev.org/c/openstack/project-config/+/947628 | 19:37 |
| opendevreview | Dmitriy Rabotyagov proposed openstack/project-config master: Deprecate openstack-ansible-tests repository https://review.opendev.org/c/openstack/project-config/+/947629 | 19:37 |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!