Let's not close these pull requests as invalid as they are with very good intentions. Can someone on this list from MuseDev please work with the contributors so they are aware of our contribution guideline: https://cwiki.apache.org/confluence/display/ZOOKEEPER/HowToContribute
For these pull requests, I think they can be merged as long as they are reviewed and get green builds. Committers can either help create JIRA and associate it with PR at merge time, or use their own judgement without a JIRA if the fix is trivial. I still prefer all contributors to follow the guidelines so they can get their contribution credits in the JIRA system. On Fri, Oct 2, 2020 at 8:34 AM Rich Bowen <rbo...@rcbowen.com> wrote: > I know you're not asking me, but with my Community Development hat on, I > strenuously encourage you to view this as an opportunity to bring on new > contributors, and couch your response accordingly. Anything that comes > across as scolding them for Doing It Wrong is going to leave a bad taste > and possibly lose new contributors, particularly when we invited them to > participate in this process. We did invite them, and we did point them > to the issues, via Muse.dev. Perhaps Muse.dev can work with us to > automate the process of creating tickets for the issues that were raised? > > On 10/2/20 11:26 AM, Enrico Olivelli wrote: > > Hey ! > > it looks like the Bug bash has brought a few Pull Requests > > https://github.com/apache/zookeeper/pulls > > > > Unfortunately they are not following the contribution guidelines (for > > instance there is no associated JIRA) > > https://cwiki.apache.org/confluence/display/ZOOKEEPER/HowToContribute - > > > > Most of the PR are about trivial fixes, I am not sure if a JIRA is > deserved. > > > > What should we do? > > My proposal is to ping the contributor in order to obey the guide and > > then finally accept the patches, as Micheal Han did in this patch > > https://github.com/apache/zookeeper/pull/1470 > > > > I don't want to see that patches remaining on github as low hanging > > fruit, so it is better that we decide how to work on them, > > another option is to close them as invalid (It would be a pity IMHO) > > > > Enrico > > > > > > > > Il giorno lun 28 set 2020 alle ore 15:03 Tom DuBuisson <to...@muse.dev > > <mailto:to...@muse.dev>> ha scritto: > > > > Enrico, > > That sounds great. We'll get the repo activated. > > > > Tom > > > > > > On Sun, Sep 27, 2020, 11:11 PM Enrico Olivelli <eolive...@gmail.com > > <mailto:eolive...@gmail.com>> wrote: > > > > > Tom > > > Overall I think that we can move forward. > > > > > > This thread has been around for a while, there are no objections, > > every > > > question has been answered. > > > > > > Thank you very much > > > > > > I hope this activity will help in growing Zookeeper project both > > in code > > > quality and with more contributions, that is to help the > > community to grow. > > > > > > Best regards > > > > > > Enrico > > > > > > Il Lun 28 Set 2020, 01:27 Tom DuBuisson <to...@muse.dev > > <mailto:to...@muse.dev>> ha scritto: > > > > > > > Norbert, > > > > > > > > Yes, you understand that correctly. And those analyzers are > > FindSecBugs, > > > > Error Prone and Infer. All open source and in moderate to wide > use > > > > already. Only find sec bugs is security specific - Infer and > > Error Prone > > > > might find security bugs but they are more general purpose in > > nature. > > > > > > > > -Tom > > > > > > > > On Sun, Sep 27, 2020 at 3:43 PM Norbert Kalmar > > > > <nkal...@cloudera.com.invalid> > > > > wrote: > > > > > > > > > Hello Tom, > > > > > > > > > > +1 on the initiative, thanks for bringing this to our > attention. > > > > > > > > > > If I understand correctly, there will be no disclosed > > security issues > > > > which > > > > > cannot be found with open source static analyzers. > > > > > > > > > > Regards, > > > > > Norbert > > > > > > > > > > > > > > > On Sun, Sep 27, 2020 at 8:23 AM Szalay-Bekő Máté < > > > > > szalay.beko.m...@gmail.com <mailto:szalay.beko.m...@gmail.com > >> > > > > > wrote: > > > > > > > > > > > Hello Guys, > > > > > > > > > > > > In general I like the idea, but unfortunately I can not > really > > > > > participate > > > > > > (either in the coding or in the review) as I have a few > > important > > > > > projects > > > > > > close to deadline at the moment. > > > > > > > > > > > > My only concern is with the security bugs, which I don't > > like to be > > > > > openly > > > > > > reported before publishing a release with the fix. But for > > any other > > > > kind > > > > > > of bugfixes / improvements, I am very positive with the > > initiative. > > > > > > > > > > > > > > > > > > Best regards, > > > > > > Mate > > > > > > > > > > > > On Sun, Sep 27, 2020, 07:06 Tom DuBuisson <to...@muse.dev > > <mailto:to...@muse.dev>> wrote: > > > > > > > > > > > > > Enrico et al, > > > > > > > > > > > > > > Are there other thoughts on this? It would be great to > > get setup > > > > > before > > > > > > > the bash actually begins. Enrico, lacking other voices > > would you > > > > like > > > > > to > > > > > > > make a final call? > > > > > > > > > > > > > > -Tom > > > > > > > > > > > > > > On Thu, Sep 24, 2020 at 3:30 AM Enrico Olivelli < > > > eolive...@gmail.com <mailto:eolive...@gmail.com> > > > > > > > > > > > > wrote: > > > > > > > > > > > > > > > Tom, > > > > > > > > Personally I am +1 with this proposal. Thanks for your > > > > > clarifications. > > > > > > > > > > > > > > > > But we should ear opinions from other people in this > list > > > > > > > > > > > > > > > > > > > > > > > > Enrico > > > > > > > > > > > > > > > > Il giorno mer 23 set 2020 alle ore 23:51 Tom DuBuisson < > > > > > to...@muse.dev <mailto:to...@muse.dev> > > > > > > > > > > > > > > ha > > > > > > > > scritto: > > > > > > > > > > > > > > > > > Enrico, > > > > > > > > > > > > > > > > > > On the topic security issues and reporting: Muse's > > default > > > > > > > configuration > > > > > > > > > is open source tools and here it is run on open source > > > projects. > > > > > The > > > > > > > > > results are thus already available publicly (in this > > case from > > > > FSB, > > > > > > > > Infer, > > > > > > > > > and Error Prone). Muse doesn't post anything to > > GitHub except > > > in > > > > > the > > > > > > > > case > > > > > > > > > of pull requests and then only if the bug is deemed > > to have > > > been > > > > > > > > > "introduced" as part of the PR - meaning it shouldn't > > be a > > > > > > > vulnerability > > > > > > > > in > > > > > > > > > currently shipped software. > > > > > > > > > > > > > > > > > > If there are desires or proposals about more control > > over bug > > > > > reports > > > > > > > in > > > > > > > > a > > > > > > > > > convenient, configurable, manner then we'd really > > like to dig > > > in > > > > > and > > > > > > > hear > > > > > > > > > how to help. In case there is more discussion on > > this point > > > I'm > > > > > > CCing > > > > > > > > > Andrew who leads Muse's product design. > > > > > > > > > > > > > > > > > > -Tom > > > > > > > > > > > > > > > > > > On Wed, Sep 23, 2020 at 1:09 PM Enrico Olivelli < > > > > > eolive...@gmail.com <mailto:eolive...@gmail.com> > > > > > > > > > > > > > > > > wrote: > > > > > > > > > > > > > > > > > > > Il Mer 23 Set 2020, 19:02 Tom DuBuisson > > <to...@muse.dev <mailto:to...@muse.dev>> ha > > > > > > scritto: > > > > > > > > > > > > > > > > > > > > > Enrico, > > > > > > > > > > > > > > > > > > > > > > The Muse App requires two main abilities. First > > is events, > > > > > such > > > > > > as > > > > > > > > > > > notification when pull requests are opened or > > updated. > > > > Second > > > > > is > > > > > > > > > > > permission to post comments (which is always > > possible for > > > > > humans > > > > > > > but > > > > > > > > > more > > > > > > > > > > > tightly controlled when the poster authenticates > as a > > > github > > > > > > > > > > application). > > > > > > > > > > > The repository being public has allowed us to run > > the app > > > and > > > > > > > observe > > > > > > > > > > > ErrorProne, Infer, and FindSecBugs all run out of > > the box > > > and > > > > > > > without > > > > > > > > > > > custom configuration. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Makes sense. > > > > > > > > > > > > > > > > > > > > One last question from my side > > > > > > > > > > What about security issues? > > > > > > > > > > Our policy is to have them reported to > > > > > > secur...@zookeeper.apache.org > > <mailto:secur...@zookeeper.apache.org> > > > > > > > > > > before > > > > > > > > > > public disclosure > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Enrico > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Cheers, > > > > > > > > > > > Tom > > > > > > > > > > > > > > > > > > > > > > On Wed, Sep 23, 2020 at 6:35 AM Enrico Olivelli < > > > > > > > eolive...@gmail.com <mailto:eolive...@gmail.com> > > > > > > > > > > > > > > > > > > > > wrote: > > > > > > > > > > > > > > > > > > > > > > > Il Mer 23 Set 2020, 00:44 Tom DuBuisson > > <to...@muse.dev <mailto:to...@muse.dev>> > > > > ha > > > > > > > > scritto: > > > > > > > > > > > > > > > > > > > > > > > > > Zookeeper Developers, > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > As part of our sponsorship of ApacheCon, our > > company > > > > > MuseDev > > > > > > is > > > > > > > > > > doing a > > > > > > > > > > > > Bug > > > > > > > > > > > > > Bash for select Apache projects. We'll bring > > members of > > > > the > > > > > > > > > ApacheCon > > > > > > > > > > > > > community together to find and fix a range of > > security > > > > and > > > > > > > > > > performance > > > > > > > > > > > > bugs > > > > > > > > > > > > > during the conference, and gameify the > > experience with > > > > > > teams, a > > > > > > > > > > > > > leaderboard, and prizes. The bash is open to > > everyone > > > > > whether > > > > > > > > > > attending > > > > > > > > > > > > the > > > > > > > > > > > > > conference or not, and our whole dev team > > will also be > > > > > > > > > participating > > > > > > > > > > to > > > > > > > > > > > > > help fix as many bugs as we can. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > We're seeding the bug list with results from > > Muse, our > > > > code > > > > > > > > > analysis > > > > > > > > > > > > > platform, which runs as a Github App and > > comments on > > > > > possible > > > > > > > > bugs > > > > > > > > > as > > > > > > > > > > > > part > > > > > > > > > > > > > of the pull request workflow. Here's an > > example of > > > what > > > > it > > > > > > > looks > > > > > > > > > > like: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > https://github.com/curl/curl/pull/5971#discussion_r490252196 > > > > > > > > > > > > > <https://github.com/curl/curl/pull/5971> > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > We explored a number of Apache projects and > are > > > reaching > > > > > out > > > > > > > > > because > > > > > > > > > > > our > > > > > > > > > > > > > analysis through Muse found some interesting > > bugs that > > > > > could > > > > > > be > > > > > > > > > fixed > > > > > > > > > > > > > during the Bash. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > We're writing to see if you'd be interested > > in having > > > > your > > > > > > > > project > > > > > > > > > > > > included > > > > > > > > > > > > > in the Bash. Everything is set up on our end, > > and if > > > > you're > > > > > > > > > > interested, > > > > > > > > > > > > we > > > > > > > > > > > > > would need you to say yes on this listserv, > > and we’ll > > > > work > > > > > > with > > > > > > > > the > > > > > > > > > > > > Apache > > > > > > > > > > > > > Infrastructure team to grant Muse access to > > your Github > > > > > > mirror. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > It is a public repo, which kind of access does > > it need? > > > > > > > > > > > > > > > > > > > > > > > > Enrico > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > We'll then > > > > > > > > > > > > > make sure it's all set-up and ready for the > > Bash. And > > > of > > > > > > > course, > > > > > > > > > > > everyone > > > > > > > > > > > > > on the project is most welcome to join the > > Bash and > > > help > > > > us > > > > > > > smash > > > > > > > > > > some > > > > > > > > > > > > > bugs. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -Tom > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > Rich Bowen > rbo...@rcbowen.com >
