Status Update
No update yet.
Comments
bl...@google.com
bl...@google.com
dd...@google.com
Added this into hotlist:available to remove from the trooper queue.
dd...@google.com
The need for trusted deps makes sense, but meeting all submit requirements is rather extreme. It effectively means each CL must be reviewed one-at-a-time, bringing all the way to ready-to-submit before you can even find out if the child passes tests.
A unprivileged committer can trigger a dry-run only if the CL is submittable in Gerrit, which means that a probably-Googler reviewed and approved the CL. So, even if we make a change for your proposal, the CL has to be approved by privileged committers first.
Then, could the reviewer (privileged committer) trigger a dry-run on the CL at the time of reviewing the CLs? privileged committers can trigger dry-runs regardless of open-deps. If the UX is an issue, then we could consider updating the UI such that it will ask the reviewer if they want to trigger dry-runs when the approval button is clicked.
mp...@google.com
Our unpriviledged users actually cannot ever trigger dry-runs, even on approved CLs [1]. This is actually about priviledged users triggering dry-runs of CLs owned by unpriviledged users.
Then, could the reviewer (privileged committer) trigger a dry-run on the CL at the time of reviewing the CLs? privileged committers can trigger dry-runs regardless of open-deps.
This does not seem to be the case, at least for us. Am I misunderstanding? Or maybe this is a configuration issue? For example, see
[1] Perhaps we could consider changing that, but that is not relevant here.
dd...@google.com
My apologies. You are right. It's required to have all deps approved in order for a committer to trigger a dry-run on someone else' CL.
https://source.chromium.org/chromium/infra/infra_superproject/+/main:infra/go/src/go.chromium.org/luci/cv/internal/acls/run_create.go;l=251-254
I believe that we ACL-ed the dry-run privileges to minimize the chance of malicious code getting compiled and executed in tryjobs. For instance, in this flow, it's possible that
- an unprivileged external contributor uploads CL-1 with malicious code, and sends a review request to someone else.
- the contributor uploads CL-2, having CL-1 as a dep CL.
- the contributor sends a review request for CL-2 to a committer, and the committer triggers a dry-run without realizing that CL-1 has malicious code.
It's not perfect, but by enforcing all deps fully-reviewed by a committer with a stamp, we effectively minimize the chance of such an attack. However, I acknowledge that it effectively blocks code reviews on a CL until its dep CLs are approved, as no one can trigger a dry-run on the CL, uploaded by an external contributors, with open-deps.
We can introduce a new config option to relax
mp...@google.com
I agree that avoiding accidentally executing malicious code from a dep you failed to look at is useful in general. I'm trying to weigh the usefulness vs the pain.
We can introduce a new config option to relax this contraint. It means that a fully privileged user can trigger a dry-run on someone else' CL, even if it has open deps. In chrome, I'd route this topic to chops-security to check the security concerns, but I'm not sure about golang. If the option to relax the constraint sounds good to you, we can add the option. WDYT?
I would want to check with our security team as well. Our old CI system allowed this, so I suspect it would be OK (though perhaps just because no one thought about it).
I'm curious if you have thoughts on my somewhat "middle ground" proposal in #1: "Instead, I propose that a dep CL is trusted if it has an inflight or completed dry/full. This informs us that a privileged user must have reviewed that dep and deemed it safe to test. The resulting workflow would require a reviewer to vote Commit-Queue+1 in the proper order, which is a bit annoying but much less than the status quo."
Description
This was discussed in chat a while ago, but I don't think we ever filed a bug.
We sometimes receive CL stacks (Gerrit CLs with unsubmitted parents) from unprivileged contributors (i.e., not committer or dry-runner).
e.g.,https://go.dev/cl/595564 .
LUCI will only allow a dry run on this CL if its dependencies are trusted, which in the case of an unprivileged author means that the CL must meet all submit requirements.
The need for trusted deps makes sense, but meeting all submit requirements is rather extreme. It effectively means each CL must be reviewed one-at-a-time, bringing all the way to ready-to-submit before you can even find out if the child passes tests. This makes review slow and painful.
Instead, I propose that a dep CL is trusted if it has an inflight or completed dry/full. This informs us that a privileged user must have reviewed that dep and deemed it safe to test. The resulting workflow would require a reviewer to vote Commit-Queue+1 in the proper order, which is a bit annoying but much less than the status quo.
It would be nice if additionally, a Code-Review+1/+2 from a privileged user on a dep CL could be seen as a "partial approval" that allows testing, but yiwzhang@ noted that this introduces a new concept (partial approval), and this would likely need to vary across projects.