| -@gerrit:opendev.org- Simon Westphahl proposed: [zuul/zuul] 950397: wip: Only copy compatible defaults from provider config https://review.opendev.org/c/zuul/zuul/+/950397 | 10:06 | |
| -@gerrit:opendev.org- Simon Westphahl proposed: [zuul/zuul] 950407: Ensure job projects are only considered once https://review.opendev.org/c/zuul/zuul/+/950407 | 12:46 | |
| -@gerrit:opendev.org- Simon Westphahl proposed: [zuul/zuul] 950407: Ensure job projects are only considered once https://review.opendev.org/c/zuul/zuul/+/950407 | 13:13 | |
| -@gerrit:opendev.org- Simon Westphahl proposed on behalf of James E. Blair https://matrix.to/#/@jim:acmegating.com: [zuul/zuul] 950370: Improve zuul_console_disabled testing https://review.opendev.org/c/zuul/zuul/+/950370 | 13:26 | |
| -@gerrit:opendev.org- James E. Blair https://matrix.to/#/@jim:acmegating.com proposed: [zuul/zuul] 950370: Improve zuul_console_disabled testing https://review.opendev.org/c/zuul/zuul/+/950370 | 13:28 | |
| @jkt_:matrix.org | So, I'm about to migrate our company-internal, ancient zuul+nodepool setup (like zuul 3.19.1 on EL7 level of ancient) to something newer. I picked an EL9 clone (alma), and I was wondering if containers are something to use. I followed the [FAQ](https://zuul-ci.org/docs/faq.html) which points me to [Docker hub](https://hub.docker.com/u/zuul), I guess that's obsolete. I pick the latest image on quay.io (which I think is the thing to use, right?), and it tells me quite prominently that the image has a [critical vulnerability in zlib](https://quay.io/repository/zuul-ci/zuul/manifest/sha256:e70658a4971f9243a3347c693c33da0bcbdfdf5bad35d69a6c4d8d3b58c2713e?tab=vulnerabilities). Are these images recommended for use? | 15:46 |
|---|---|---|
| @jkt_:matrix.org | Also, the "install" page of [nodepool](https://zuul-ci.org/docs/nodepool/latest/installation.html#install-nodepool) mentions RHEL7 and python 3.6, while the [release notes](https://zuul-ci.org/docs/nodepool/latest/releasenotes.html) say that nodepool started requiring 3.8 in release 6.0.0, and that it's currently 3.11-only | 15:48 |
| @fungicide:matrix.org | and i guess some documentation is stale too | 15:55 |
| @fungicide:matrix.org | jkt: yes, zuul switched to publishing on quay ~2 years ago: https://lists.zuul-ci.org/archives/list/zuul-announce@lists.zuul-ci.org/message/EGYFJS6REK7WEZCKGYCIRLBOFD7ZWW7U/ | 15:54 |
| @fungicide:matrix.org | looks like we didn't get around to deleting the images from dockerhub like the announcement said we would | 15:54 |
| @fungicide:matrix.org | we should probably stop listing things like python and platform versions in install docs, since we'd need to perpetually update them | 15:57 |
| @clarkb:matrix.org | quay's idea of secure container images is heavily EL biased last I looked at what it complained about in debian | 16:12 |
| @jim:acmegating.com | jkt: opendev runs the quay.io images in production, and acme gating produces very similar images for customers. | 16:13 |
| @clarkb:matrix.org | if you click on those vulnerabilites they give you CVEs which you can trace back to debian to see why debian has or hasn't patched things to quay's satisfaction | 16:14 |
| @jim:acmegating.com | jkt: to expand on what Clark mentioned, that particular cve does not appear to be a concern based on the details: https://security-tracker.debian.org/tracker/CVE-2023-45853 | 16:14 |
| @jkt_:matrix.org | okay, I have no idea what they mean by "src:zlib not producing binary packages", but I'm happy to believe that it's a false alert | 16:17 |
| @jkt_:matrix.org | thanks | 16:17 |
| @jim:acmegating.com | i agree there's some shorthand going on there. :) | 16:17 |
| -@gerrit:opendev.org- James E. Blair https://matrix.to/#/@jim:acmegating.com proposed: [zuul/zuul-website] 950440: Update container location in FAQ https://review.opendev.org/c/zuul/zuul-website/+/950440 | 16:20 | |
| -@gerrit:opendev.org- James E. Blair https://matrix.to/#/@jim:acmegating.com proposed: [zuul/zuul] 950441: Remove completed/inactive specs https://review.opendev.org/c/zuul/zuul/+/950441 | 16:26 | |
| @clarkb:matrix.org | I think this line a little lower on the page explains it `src:zlib only starts building minizip starting in 1:1.2.13.dfsg-2`. The version in bookworm doesn't build minizip from the src:zlib package. The version in debian after bookworm does and was fixed | 16:36 |
| @clarkb:matrix.org | so the vulnerable code is present in the source zlib package but they don't build the vulnerable code from there is my read of it | 16:36 |
| @fungicide:matrix.org | i concur | 16:39 |
| @fungicide:matrix.org | there's an ongoing project to try to get better clarification in debian's security tracker as to why some things with assigned identifiers aren't considered vulnerabilities in debian's packages | 16:40 |
| @clarkb:matrix.org | fungi: even changing the package is vulnerable label to "vulnerable but not in a way that matters" or "vulnerable see notes" would probably help | 16:45 |
| @fungicide:matrix.org | yeah, proposal started here over a month ago: https://lists.debian.org/debian-security/2024/04/msg00001.html (and discussion is still in progress, things move slowly in debian) | 16:58 |
| @fungicide:matrix.org | er, over a year ago i meant | 16:58 |
| @f2ked:matrix.org | FYI: documents are not being updated? | 17:23 |
| [example](https://zuul-ci.org/docs/zuul/latest/drivers/gerrit.html) does not show new `replication_timeout` config | ||
| @clarkb:matrix.org | it looks like the docs promotion jobs are succeeding. Which means the problem is likely in afs maybe? I notice that https://grafana.opendev.org/d/9871b26303/afs?orgId=1&from=now-6h&to=now&timezone=utc doesn't seem to show a vos release timer for project_zuul. Maybe that volume got stuck? | 17:34 |
| @jim:acmegating.com | likely; let's switch to #_oftc_#opendev:matrix.org | 17:34 |
| @jim:acmegating.com | back here now... the issue is the content. i'll fix | 17:54 |
| -@gerrit:opendev.org- James E. Blair https://matrix.to/#/@jim:acmegating.com proposed: [zuul/zuul] 950451: Fix gerrit replication_timeout docs https://review.opendev.org/c/zuul/zuul/+/950451 | 17:55 | |
| @jim:acmegating.com | https://zuul.opendev.org/t/zuul/builds?job_name=zuul-quick-start&project=zuul/zuul | 18:03 |
| @jim:acmegating.com | it looks like the latest gerrit image may have changed something we rely on in tests | 18:03 |
| @clarkb:matrix.org | corvus: they just released 3.12.0 today | 18:03 |
| @jim:acmegating.com | https://zuul.opendev.org/t/zuul/build/b3ca317379fa41c6b229b8e3d8d94902/log/container_logs/gerrit.log#290 | 18:04 |
| @jim:acmegating.com | maybe that? | 18:04 |
| @jim:acmegating.com | correlates with this: https://zuul.opendev.org/t/zuul/build/b3ca317379fa41c6b229b8e3d8d94902/log/container_logs/gerritconfig.log#44 | 18:05 |
| @clarkb:matrix.org | `invalid project.config file in revision 6eba5f7706980d7953bfc89335740ed0792177b3)\nerror: failed to push some refs to 'http://gerrit:8080/All-Projects'` | 18:05 |
| @jim:acmegating.com | Value 'MaxWithBlock' of 'label.Code-Review.function' is not allowed and cannot be set. Label functions can only be set to {NO_BLOCK, NO_OP, PATCH_SET_LOCK}. Use submit requirements instead of label functions. | 18:05 |
| @jim:acmegating.com | ``` | 18:07 |
| [submit-requirement "Code-Review"] | ||
| description = A maximum vote is required for the \ | ||
| 'Code-Review' label. A minimum vote is blocking. | ||
| submittableIf = label:Code-Review=MAX AND -label:Code-Review=MIN | ||
| canOverrideInChildProjects = true | ||
| ``` | ||
| @jim:acmegating.com | would that be the equvilant? based on https://gerrit-review.googlesource.com/Documentation/config-submit-requirements.html#code-review-example but dropped the non-uploader bit | 18:07 |
| @clarkb:matrix.org | let me check against what we updated to in opendev | 18:08 |
| @jim:acmegating.com | oh heh we have that already for verified and workflow | 18:08 |
| @clarkb:matrix.org | https://docs.opendev.org/opendev/system-config/latest/gerrit.html#access-controls you can see in the big block there | 18:09 |
| @clarkb:matrix.org | we used a simpler description but the important bits align | 18:09 |
| -@gerrit:opendev.org- James E. Blair https://matrix.to/#/@jim:acmegating.com proposed: [zuul/zuul] 950454: Fix quickstart example/test for Gerrit 3.12 https://review.opendev.org/c/zuul/zuul/+/950454 | 18:10 | |
| @jim:acmegating.com | that's a naive fix^ but we should look at what Code-Review is actually set to by default now | 18:11 |
| @jim:acmegating.com | i think the only change is that the function is now "NoBlock" which is the default | 18:13 |
| @jim:acmegating.com | so while the project.config in that change doesn't exactly textually match, it is functionally equal | 18:14 |
| @jim:acmegating.com | we are implicitly removing the "no-unresolved-comments" submit requirement | 18:14 |
| @jim:acmegating.com | i think that's fine and reasonable for the quickstart | 18:14 |
| @clarkb:matrix.org | ++ the no-unresolved-comments requirement is also a bit gameable... | 18:15 |
| @clarkb:matrix.org | I'm not sure it adds a ton of value | 18:15 |
| @jim:acmegating.com | here's the complete default project.config from a new gerrit 3.12 install: https://paste.opendev.org/show/bwfblFr6bFDQfF4z6IhL/ | 18:15 |
| @jim:acmegating.com | yeah, and i think it could be problematic for new users to run into that if they are not gerrit experts and they inadvertently left a comment on a change and zuul can't submit it. | 18:16 |
| @jim:acmegating.com | * yeah, and i think it could be problematic for new users to run into that if they are not gerrit experts and they inadvertently left a comment on a change and zuul can't submit it. (in the context of the quickstart) | 18:16 |
| @clarkb:matrix.org | corvus: shoudl we dequeue changes that are not 950454 from the gate since they will fail on quick start? | 18:44 |
| @jim:acmegating.com | i'll approve 454 and promote it | 18:50 |
| -@gerrit:opendev.org- James E. Blair https://matrix.to/#/@jim:acmegating.com proposed: [zuul/zuul] 950460: Niz: fix inheriting image attributes https://review.opendev.org/c/zuul/zuul/+/950460 | 19:54 | |
| @aureliojargas:matrix.org | Hey guys, I have this small change to the `ensure-nox` role, already +2 by Clark: https://review.opendev.org/c/zuul/zuul-jobs/+/945276. Should we merge it? | 20:16 |
| -@gerrit:opendev.org- Zuul merged on behalf of James E. Blair https://matrix.to/#/@jim:acmegating.com: [zuul/zuul-website] 950440: Update container location in FAQ https://review.opendev.org/c/zuul/zuul-website/+/950440 | 20:30 | |
| @jim:acmegating.com | i'm wondering why it was omitted | 20:45 |
| @clarkb:matrix.org | corvus: I think before things got standardized it was just missed | 20:47 |
| @jim:acmegating.com | i don't see anything in the original change or the discussion about it https://meetings.opendev.org/irclogs/%23zuul/%23zuul.2022-12-15.log.html | 20:47 |
| @clarkb:matrix.org | and now that we've standardized we're able to more easily align all of the similar roles | 20:47 |
| @jim:acmegating.com | well, it looks like it was added to ensure-tox 2 years prior | 20:47 |
| @jim:acmegating.com | https://review.opendev.org/736330 | 20:48 |
| @jim:acmegating.com | https://review.opendev.org/867902 | 20:48 |
| @jim:acmegating.com | so either i dropped it because it was too complex? or because it didn't seem necessary or a good idea? | 20:49 |
| @jim:acmegating.com | i suspect that i dropped it because we had improved the plumbing of the nox_executable output variable to the point where any consuming role would easily use it, and thus installing it globally as root shouldn't be needed | 20:52 |
| @jim:acmegating.com | but, i guess there's still a need for that? | 20:53 |
| @clarkb:matrix.org | I think the primary change here is about consistency with all of the other roles using the same underlying ensure python venv command role | 20:53 |
| @jim:acmegating.com | Aurelio Jargas: maybe you can confirm whether you need that because of another role in zuul-jobs that doesn't correctly use the output variable, or if it's because you're integrating with something other than a zuul role that makes it difficult to use it. | 20:53 |
| @jim:acmegating.com | Clark: sure, but if the omission was to try to start backing out an uneccessary change, it's worth discussing? | 20:54 |
| @clarkb:matrix.org | yup. I was just pointing out that I'm not sure there is an explicit need driving it | 20:55 |
| @jim:acmegating.com | yeah. it's also been 3 years without apparently needing it, so there might be some evidence that we can start unwinding that from other roles | 20:55 |
| @jim:acmegating.com | otoh, if there is need, that would be good to know, and reasonable to add it. | 20:56 |
| @jim:acmegating.com | Aurelio Jargas: i left a request for clarification on https://review.opendev.org/945276 | 20:57 |
| @jim:acmegating.com | at the very least, we'll end up with some breadcrumbs, since i haven't found any from earlier discussions :( | 20:58 |
| @jim:acmegating.com | [i apologize for my part in that; it's not always easy to remember to note why one did not do a thing] | 20:59 |
| @clarkb:matrix.org | corvus: now the error is `ERROR: commit aa31ca8: Cannot delete 'label.Code-Review.function'. Label functions can only be set to {NO_BLOCK, NO_OP, PATCH_SET_LOCK}. Use submit requirements instead of label functions.` | 21:18 |
| @clarkb:matrix.org | I think you need to set the function to NO_OP | 21:18 |
| @clarkb:matrix.org | looking at opendev that is what we did (we set it to noBlock which is an alias for NO_OP iirc) | 21:19 |
| @clarkb:matrix.org | * looking at opendev that is what we did (we set it to NoBlock which is an alias for NO\_OP iirc) | 21:19 |
| @clarkb:matrix.org | I seem to recall running into this when testing opendev's conversion and its a weird corner case bug in how they implemented things | 21:20 |
| @clarkb:matrix.org | https://gerrit-review.googlesource.com/Documentation/config-labels.html#label_function | 21:21 |
| @jim:acmegating.com | weird i thought they were spelled NoOp and NoBlock. NoOp and NoBlock are supposed to be synonyms and the default, so i assumed that omitting the function would be okay. | 21:24 |
| @clarkb:matrix.org | corvus: yes looking at the docs it is NoOp and NoBlock so the error message must be emitting some serialzed form of something? | 21:25 |
| @clarkb:matrix.org | and ya I want to say the issue is that internally Code-Review is implemented with MaxWithBlock so you can' drop the function you have to set it when changing it | 21:25 |
| @clarkb:matrix.org | basically they deprecated the ability to explicitly set it yourself but then continue to internally set it to the deprecated value or something along those lines. It may have chaned in 3.12 too I suppose | 21:26 |
| @jim:acmegating.com | in 3.12 the default config is noblock and a submit rule | 21:26 |
| @jim:acmegating.com | so that reads to me like changing it from "noblock" to "" is now an error | 21:27 |
| @jim:acmegating.com | anyway, i'll add function=noblock to all 3 | 21:27 |
| -@gerrit:opendev.org- James E. Blair https://matrix.to/#/@jim:acmegating.com proposed: [zuul/zuul] 950454: Fix quickstart example/test for Gerrit 3.12 https://review.opendev.org/c/zuul/zuul/+/950454 | 21:30 | |
Generated by irclog2html.py 4.0.0 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!