| *** jamesmcarthur has joined #zuul | 01:21 | |
| *** jamesmcarthur has quit IRC | 01:25 | |
| *** jamesmcarthur has joined #zuul | 04:08 | |
| openstackgerrit | Paul Belanger proposed openstack-infra/zuul-jobs master: Delete files in dest that don't exist https://review.openstack.org/648815 | 04:18 |
|---|---|---|
| *** jamesmcarthur has quit IRC | 05:17 | |
| *** jamesmcarthur has joined #zuul | 05:18 | |
| *** jamesmcarthur has quit IRC | 05:22 | |
| *** jamesmcarthur has joined #zuul | 05:48 | |
| *** bhavikdbavishi has joined #zuul | 05:57 | |
| *** bhavikdbavishi has quit IRC | 06:37 | |
| *** bhavikdbavishi has joined #zuul | 06:47 | |
| *** bhavikdbavishi has quit IRC | 06:53 | |
| *** jesusaur has quit IRC | 07:00 | |
| *** jesusaur has joined #zuul | 07:02 | |
| openstackgerrit | Tobias Henkel proposed openstack-infra/zuul master: Match tag items against containing branches https://review.openstack.org/578557 | 07:44 |
| openstackgerrit | Tobias Henkel proposed openstack-infra/zuul master: Use implied branch matcher for implied branches https://review.openstack.org/640272 | 07:44 |
| *** bhavikdbavishi has joined #zuul | 07:48 | |
| *** quiquell|off has quit IRC | 08:14 | |
| logan- | corvus: i'm confused by https://review.openstack.org/#/c/632566/. it breaks a use case where an untrusted application project calls an untrusted deployment project's deploy job in a post pipeline to deploy the application's merged changes. I guess parts of the job could be shifted into a config project to work around this patch. but I'm missing how the patch mitigates the risk of a "independent pre-merge | 08:21 |
| logan- | post-review pipeline" in a project with secrets. sure, other projects can't call the jobs, but wouldn't someone just propose a change to compromise the secrets directly in the project where they are defined if you had this insecure pipeline available? why bother with depends-on? it seems like the pipeline definition is insecure, not the job definition? | 08:21 |
| *** bhavikdbavishi has quit IRC | 08:23 | |
| logan- | putting it another way: i understand the scenario in the story, but I wonder if the scope of this forced allowed-projects restriction could be limited somehow so it doesn't break jobs on systems that don't have that sort of pipeline configuration. I relied on the previous behavior heavily for centralized post-merge deployment jobs and now none of it is permitted to run :) | 08:36 |
| openstackgerrit | Merged zuul/project-config master: Add zuul-publish-tox-docs job https://review.openstack.org/648777 | 08:41 |
| *** pwhalen has quit IRC | 11:16 | |
| *** timburke has quit IRC | 11:16 | |
| *** timburke has joined #zuul | 11:16 | |
| *** bhavikdbavishi has joined #zuul | 11:25 | |
| *** rfolco has quit IRC | 11:41 | |
| *** bhavikdbavishi has quit IRC | 12:32 | |
| *** bhavikdbavishi has joined #zuul | 13:04 | |
| *** bhavikdbavishi has quit IRC | 13:28 | |
| *** bhavikdbavishi has joined #zuul | 13:29 | |
| *** bhavikdbavishi has quit IRC | 13:35 | |
| *** bhavikdbavishi has joined #zuul | 14:42 | |
| corvus | logan-: the idea of an "independent pre-merge post-review pipeline" is that it would be constructed to be secure by only triggering after code review (thus the "post-review" part of the descriptor). for example, a "secure check" pipeline which runs jobs that test openstacksdk changes against real public clouds with secret credentials after a core reviewer leaves a +2 vote | 15:00 |
| *** bhavikdbavishi has quit IRC | 15:00 | |
| *** bhavikdbavishi has joined #zuul | 15:01 | |
| corvus | logan-: the vulnerability in that situation is that, even if openstacksdk set allowed-projects to only itself, someone could propose a change to openstacksdk to remove that restriction and print the secret (of course it would never be approved, but that doesn't matter, it only has to exist), then if that person have approval rights to stackforge/stealthekeys, they could propose a change to that which | 15:05 |
| corvus | depends-on the openstacksdk change, +2 that one, and therefore get it to run a version of the job which exposed secrets. | 15:05 |
| corvus | logan-: i'd very much like to support the case you describe -- it was very difficult choosing between them and annoying that we couldn't support both. | 15:06 |
| corvus | logan-: maybe we could do something where adding a job to a project-pipeline in a config project is allowed to override allowed-projects... so all the job definitions could still remain in the untrusted projects, but you attach the deployment job to the application project's post pipeline in the config project. | 15:08 |
| corvus | logan-: it's too early for me to figure out if that's secure or not, but i'll think about it... what do you think? | 15:09 |
| openstackgerrit | Tobias Henkel proposed openstack-infra/zuul master: Fix slightly smaller font of in progress jobs https://review.openstack.org/648827 | 15:30 |
| pabelanger | https://review.openstack.org/648815/ is the fix to stale files being left on static nodes (with prepare-workspace), however we don't run this role in openstack zuul. So I just linked downstream results. | 15:32 |
| openstackgerrit | Tobias Henkel proposed openstack-infra/zuul master: Resolve todo after stream.html to stream renaming https://review.openstack.org/648828 | 15:33 |
| *** bhavikdbavishi has quit IRC | 15:37 | |
| openstackgerrit | Paul Belanger proposed openstack-infra/zuul-jobs master: Don't create bindep venv if bindep_file is not found https://review.openstack.org/648833 | 16:28 |
| pabelanger | ^ is a small speed improvement to deal with projects that don't have bindep.txt files. No need to install bindep into a virtualenv. | 16:42 |
| AJaeger | pabelanger: for OpenStack we have the fallback, so in OpenStack that is a nop. But fine taking it for others | 17:06 |
| pabelanger | AJaeger: thanks! | 18:06 |
| *** jamesmcarthur has quit IRC | 18:21 | |
| *** jamesmcarthur_ has joined #zuul | 18:21 | |
| *** jamesmcarthur_ has quit IRC | 18:36 | |
| *** rfolco has joined #zuul | 19:15 | |
| logan- | corvus: I like that idea. it seems like a workable solution and good middle ground. | 19:39 |
| *** rfolco has quit IRC | 19:47 | |
| openstackgerrit | Paul Belanger proposed openstack-infra/zuul-jobs master: Add trailing slash for log url https://review.openstack.org/648837 | 20:15 |
| pabelanger | mnaser: AJaeger: ^ another thing I noticed, shouldn't break anything but give correct log now to users in logs. | 20:16 |
| *** jamesmcarthur has joined #zuul | 20:18 | |
| *** remi_ness has joined #zuul | 20:32 | |
| *** pwhalen has joined #zuul | 21:20 | |
| openstackgerrit | Tobias Henkel proposed openstack-infra/zuul master: Use xterm.js for live log streaming https://review.openstack.org/648838 | 21:24 |
| tobiash | corvus, mordred, tristanC: this is an improvement for the browser based live log ^ | 21:25 |
| tobiash | with that my browser handles live logs just fine regardless of the size | 21:25 |
| tobiash | :) | 21:25 |
| openstackgerrit | Tobias Henkel proposed openstack-infra/zuul master: Use xterm.js for live log streaming https://review.openstack.org/648838 | 21:27 |
| *** jamesmcarthur has quit IRC | 22:22 | |
| *** remi_ness has quit IRC | 22:27 | |
| SpamapS | coooooool | 22:42 |
| logan- | tobiash: that works great! | 23:34 |
| logan- | http://logs.openstack.org/38/648838/2/check/zuul-build-dashboard/51795bc/npm/html/stream/e105d46904794cb8af4b5a63edb70f6c?logfile=console.log even has colors in it | 23:37 |
Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!