Re: Fedora 35 security update of curl blocked for a month
On Thursday, November 4, 2021 2:07:53 AM CET Adam Williamson wrote: > On Wed, 2021-11-03 at 09:38 -0700, Adam Williamson wrote: > > > and that its > > > > > > subject nor the body contained any information besides the (currently > > > valid) URL to some JSON data. > > > > I don't recall exactly how this part works, but it's *probably* because > > this is broken: > > > > https://github.com/fedora-infra/fedmsg_meta_fedora_infrastructure/blob/dev > > elop/fedmsg_meta_fedora_infrastructure/waiverdb.py#L33-L36 > > > > note it tries to use the key 'result_id' from the message, but current > > waiverdb.waiver.new messages do not seem to include that field. > > This should fix it: > https://github.com/fedora-infra/fedmsg_meta_fedora_infrastructure/pull/508 Thank you for working on it! Kamil ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: Fedora 35 security update of curl blocked for a month
Sounds interesting. Thanks. ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: Fedora 35 security update of curl blocked for a month
On Wed, 2021-11-03 at 09:38 -0700, Adam Williamson wrote: > > > and that its > > subject nor the body contained any information besides the (currently > > valid) > > URL to some JSON data. > > I don't recall exactly how this part works, but it's *probably* because > this is broken: > > https://github.com/fedora-infra/fedmsg_meta_fedora_infrastructure/blob/develop/fedmsg_meta_fedora_infrastructure/waiverdb.py#L33-L36 > > note it tries to use the key 'result_id' from the message, but current > waiverdb.waiver.new messages do not seem to include that field. This should fix it: https://github.com/fedora-infra/fedmsg_meta_fedora_infrastructure/pull/508 -- Adam Williamson Fedora QA IRC: adamw | Twitter: adamw_ha https://www.happyassassin.net ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: Fedora 35 security update of curl blocked for a month
On Wed, Nov 03, 2021 at 09:38:57AM -0700, Adam Williamson wrote: ...snip... > > I'll send a patch to fix that. Of course, what we're *really* behind on > here is getting datagrepper and FMN rewritten to use fedora-messaging > and message schemas[0] instead of fedmsg and the fedmsg_meta stuff... > > [0] https://fedora-messaging.readthedocs.io/en/latest/messages.html#schema So, just FYI on this part... CPE folks actually worked on modernizing datanommer/datagrepper recently: https://pagure.io/cpe/initiatives-proposal/issue/8 The database is currently being migrated from just postgres to timescaledb, but it's a gigantic db and it's taking a long time to do so. Hopefully it will be finished by the end of the year... I really hope we get around to FMN soon... it's really ancient at this point and has a lot of problems. ;( kevin signature.asc Description: PGP signature ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: Fedora 35 security update of curl blocked for a month
On Wed, 2021-11-03 at 08:54 +0100, Kamil Dudka wrote: > On Tuesday, November 2, 2021 6:32:34 PM CET Adam Williamson wrote: > > 4. The email notifications should be customizable via > > https://apps.fedoraproject.org/notifications/ , I believe. I do agree > > it would be good if we could tweak some defaults in the notification > > code to not notify you when you do things to your own stuff, as you > > likely don't need a notification in that case. But I never get around > > to doing this for my own account, let alone sending a patch to make it > > better for everyone... > > To be clear, the problem is not that I get notifications for my own actions. > I prefer to get such notifications on services like Github or Bugzilla, so > that the full story is recorded in my mailbox. > > The actual problem was that I received the same e-mail 49 times This is because, although you clicked the button once, it submitted 49 separate waivers. That's arguably more Bodhi's fault than the notification system's; it should maybe be smart enough to assume you only want to waive *failed* tests, not waive every single test that was run on the update. > and that its > subject nor the body contained any information besides the (currently valid) > URL to some JSON data. I don't recall exactly how this part works, but it's *probably* because this is broken: https://github.com/fedora-infra/fedmsg_meta_fedora_infrastructure/blob/develop/fedmsg_meta_fedora_infrastructure/waiverdb.py#L33-L36 note it tries to use the key 'result_id' from the message, but current waiverdb.waiver.new messages do not seem to include that field. This is also why, when you look up waiverdb messages on datagrepper: https://apps.fedoraproject.org/datagrepper/raw?category=waiverdb=172800 they don't have a little summary after 'JSON' like messages whose metadata processor works do (that summary is this same 'subtitle' thing from the metadata processor). I would guess that the notification system wants to use that subtitle either as the mail subject or in the body or both, but because it's broken, it falls back on just "fedmsg notification". I'll send a patch to fix that. Of course, what we're *really* behind on here is getting datagrepper and FMN rewritten to use fedora-messaging and message schemas[0] instead of fedmsg and the fedmsg_meta stuff... [0] https://fedora-messaging.readthedocs.io/en/latest/messages.html#schema -- Adam Williamson Fedora QA IRC: adamw | Twitter: adamw_ha https://www.happyassassin.net ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: Fedora 35 security update of curl blocked for a month
On Tuesday, November 2, 2021 6:32:34 PM CET Adam Williamson wrote: > 4. The email notifications should be customizable via > https://apps.fedoraproject.org/notifications/ , I believe. I do agree > it would be good if we could tweak some defaults in the notification > code to not notify you when you do things to your own stuff, as you > likely don't need a notification in that case. But I never get around > to doing this for my own account, let alone sending a patch to make it > better for everyone... To be clear, the problem is not that I get notifications for my own actions. I prefer to get such notifications on services like Github or Bugzilla, so that the full story is recorded in my mailbox. The actual problem was that I received the same e-mail 49 times and that its subject nor the body contained any information besides the (currently valid) URL to some JSON data. Kamil ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: Fedora 35 security update of curl blocked for a month
On Tuesday, November 2, 2021 8:30:15 PM CET Adam Williamson wrote: > Further to this: I did re-run the tests, they did pass, it did make > Bodhi happy, and I successfully submitted the update to stable. It > should get pushed in the next push, I hope. > > It looks like what happened is that Bodhi didn't update its recorded > gating status for the update when the waivers were submitted. Note > there's two different calculations of the gating status in Bodhi, which > can confuse things. The status you see on the right-hand side of the > web UI - "All required tests passed" or whatever - is actually > generated *by the front end code* whenever your browser loads the page. > The JS front end code runs a (verbose) Greenwave query when you view > the page, and uses the results to generate that status and also the > Automated Tests results list itself. So that status will always be 'up > to date'. > > When you try and push the update, though - whether by clicking on the > button in the web UI, or using the CLI client - Bodhi doesn't use that > status, because the Bodhi back end code doesn't *know* about that > status at all. Instead it checks a property of the update object, which > gets updated...sometimes. The "This update's test gating status has > been changed to XXX" messages that get posted on the update > periodically are actually telling you about *that* status check. > Basically, unless the most recent message was "This update's test > gating status has been changed to passed" or "This update's test gating > status has been changed to ignored", you will not be able to push it. > > I think probably the bit that broke down here is that when you > submitted your waivers, Bodhi didn't get told. The way this is > *currently* supposed to work is that Greenwave listens out for new > waivers, decides whether they change an update push decision, and > publishes a greenwave.decision.update message if so. Bodhi listens for > the greenwave.decision.update messages and either just accepts what > they say or re-calculates the decision (it depends on some other stuff > that doesn't matter rn). Looking through datagrepper logs, I see > waiverdb.waiver.new messages from waiverdb when you created your > waivers, but I *don't* see greenwave.decision.update messages in > response to them. So I think Greenwave messed up and didn't think the > waivers changed the decision. So Bodhi didn't get a message telling it > to re-calculate the gating status, and it stayed at 'failed'. > > There is, I believe, a cron job that runs every few hours or every day > or something that re-calculates the gating status of *every* active > update, so it would probably have got caught up at some point. But it > should really get recalculated as soon as a relevant waiver is > submitted. > > I *hope* this should be fixed in the next Bodhi release, whenever it > gets done and deployed. I actually rewrote how that works completely: > > https://github.com/fedora-infra/bodhi/pull/4230 > > mainly because I considered the existing design to be flat out wrong > (for reasons I won't go into unless you really care :>), but also > because I did, a few months ago, look through the code and find that > greenwave could get this wrong for openQA tests/waivers. I forget the > details, but there's some point at which it makes some assumptions > which are only true for CI tests/waivers. I started out aiming to fix > that, but instead decided the design was wrong and it made more sense > to have Bodhi just listen out for new result / new waiver messages > directly. I believe I wrote that properly so it will work for > waivers/results related to both CI and openQA tests, but we'll find out > for sure when it's deployed, I guess. :D > > Sorry again for the trouble! Thank you for taking care of the update as well as explaining the problem in detail! Kamil ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: Fedora 35 security update of curl blocked for a month
On Tue, Nov 2, 2021 at 7:30 PM Adam Williamson wrote: > Further to this . Thanks for the report on your research. When there are enough fragile moving parts, sooner or later something goes sideways ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: Fedora 35 security update of curl blocked for a month
On Tue, Nov 02, 2021 at 02:43:05PM +0100, Kamil Dudka wrote: > As a side-effect I received 49 identical e-mails from > notificati...@fedoraproject.org > with not very specific subject "fedmsg notification" and the following link > inside: "Update fedmsg notification email system" is one of the potential future CPE (Red Hat Community Platform Engineering) projects. Lots of other needs to balance it against, though. -- Matthew Miller Fedora Project Leader ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: Fedora 35 security update of curl blocked for a month
On Tue, 2021-11-02 at 10:32 -0700, Adam Williamson wrote: > > 3. I'm not sure why Bodhi is still not allowing the update to be > submitted for stable even though the tests have been waived, this is > odd. I ran the greenwave query manually and it returns (in part): > > "policies_satisfied": true, > "unsatisfied_requirements": [] > > which should always satisfy Bodhi. If I've figured this out before (as > Kalev implied), then I've forgotten it now. :P But whenever the new > Bodhi version actually does get released and deployed, it tweaks > several things in this area, so whatever the problem is may get fixed. > Hopefully, once I re-run the openQA tests and they actually pass, Bodhi > will be happy. Further to this: I did re-run the tests, they did pass, it did make Bodhi happy, and I successfully submitted the update to stable. It should get pushed in the next push, I hope. It looks like what happened is that Bodhi didn't update its recorded gating status for the update when the waivers were submitted. Note there's two different calculations of the gating status in Bodhi, which can confuse things. The status you see on the right-hand side of the web UI - "All required tests passed" or whatever - is actually generated *by the front end code* whenever your browser loads the page. The JS front end code runs a (verbose) Greenwave query when you view the page, and uses the results to generate that status and also the Automated Tests results list itself. So that status will always be 'up to date'. When you try and push the update, though - whether by clicking on the button in the web UI, or using the CLI client - Bodhi doesn't use that status, because the Bodhi back end code doesn't *know* about that status at all. Instead it checks a property of the update object, which gets updated...sometimes. The "This update's test gating status has been changed to XXX" messages that get posted on the update periodically are actually telling you about *that* status check. Basically, unless the most recent message was "This update's test gating status has been changed to passed" or "This update's test gating status has been changed to ignored", you will not be able to push it. I think probably the bit that broke down here is that when you submitted your waivers, Bodhi didn't get told. The way this is *currently* supposed to work is that Greenwave listens out for new waivers, decides whether they change an update push decision, and publishes a greenwave.decision.update message if so. Bodhi listens for the greenwave.decision.update messages and either just accepts what they say or re-calculates the decision (it depends on some other stuff that doesn't matter rn). Looking through datagrepper logs, I see waiverdb.waiver.new messages from waiverdb when you created your waivers, but I *don't* see greenwave.decision.update messages in response to them. So I think Greenwave messed up and didn't think the waivers changed the decision. So Bodhi didn't get a message telling it to re-calculate the gating status, and it stayed at 'failed'. There is, I believe, a cron job that runs every few hours or every day or something that re-calculates the gating status of *every* active update, so it would probably have got caught up at some point. But it should really get recalculated as soon as a relevant waiver is submitted. I *hope* this should be fixed in the next Bodhi release, whenever it gets done and deployed. I actually rewrote how that works completely: https://github.com/fedora-infra/bodhi/pull/4230 mainly because I considered the existing design to be flat out wrong (for reasons I won't go into unless you really care :>), but also because I did, a few months ago, look through the code and find that greenwave could get this wrong for openQA tests/waivers. I forget the details, but there's some point at which it makes some assumptions which are only true for CI tests/waivers. I started out aiming to fix that, but instead decided the design was wrong and it made more sense to have Bodhi just listen out for new result / new waiver messages directly. I believe I wrote that properly so it will work for waivers/results related to both CI and openQA tests, but we'll find out for sure when it's deployed, I guess. :D Sorry again for the trouble! -- Adam Williamson Fedora QA IRC: adamw | Twitter: adamw_ha https://www.happyassassin.net ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: Fedora 35 security update of curl blocked for a month
On Tue, 2021-11-02 at 16:19 +0100, Kalev Lember wrote: > On Tue, Nov 2, 2021 at 3:50 PM Kamil Dudka wrote: > > > On Tuesday, November 2, 2021 3:37:03 PM CET Fabio Valentini wrote: > > > Maybe multiple people attempting to waive test results and re-triggering > > > tests while things are still pending is not a good idea? > > > > > > It looks like the re-triggered tests failed again, after the tests had > > been > > > waived, overriding the waiver. (please correct me if I'm wrong) > > > > > > Fabio > > > > > > (PS: sorry if this shows up as HTML email, I don't have access to my > > Fedora > > > machine right now) > > > > To be sure, I tried to do both actions (waive and request stable) in a > > short > > period of time but the result is still the same. Another batch of useless > > e-mail notifications is now coming my way... > > > > My understanding is that the test that failed and is blocking the push to > stable is the openQA test. When I discussed a similar issue that a GNOME > megaupdate ran into with adamw a few weeks ago, he said that the way to > retrigger openQA tests is to either edit the builds in the update or > unpush/submit it again to testing, and that the retrigger tests button > doesn't do anything for openQA tests. Apparently Bodhi also has some kind > of issue with waiving openQA tests so waiving doesn't work in practice. :) > > Maybe it's worth a try here to see if unpushing and resubmitting to testing > helps? And if it doesn't, maybe ask on irc in #fedora-qa to see if they can > help get the openQA tests for the update going again? Yeah, so, uh, sorry about this! There are kind of a lot of moving parts here. I explained in an early comment on the update why the tests failed initially - the update depended on a version of openssl which was still in updates-testing, so it was correct that the tests failed then. It looks like that openssl update was later pushed stable, but the tests on the curl update do not appear to have been re-run until today. So until today, the update was still blocked on the original failed tests. Today the tests have got re-run but in an unfortunate coincidence of timing, some of them failed again. This is entirely my fault - it happened because I updated a definition of the 'current stable' release of Fedora last night and forgot I needed to trigger a rebuild of openQA's base disk images at the same time, otherwise tests will fail because they try to use an image that hasn't been built. I'm doing that now and will re-run the tests, they should pass this time. Other issues: 1. As noted, this could not have been pushed stable until this week anyway as there was no FE or blocker bug. As Peter said, if there is a good reason to push an update stable during freeze - 'fixes a security bug' is certainly a good reason - please propose a bug that the update fixes as a release blocker (if it's "important" or higher on the RH scale) or freeze exception (otherwise). You can do this via https://qa.fedoraproject.org/blockerbugs/propose_bug . 2. The "re-trigger tests" button in Bodhi does not currently re-run openQA tests due to a couple of bugs in Bodhi which make it more or less impossible to implement properly. I've fixed those bugs, but a new version of Bodhi which includes the fixes has not yet been released and deployed to stable. When it is, I can update the openQA test scheduler to respond to the messages the button publishes; I have a ticket for that and am just waiting on the Bodhi update. As Kalev says, you can trigger an openQA re-run by editing the update in any way (just adding or removing a single character from the description will do it), though this is of course a non-obvious workaround. 3. I'm not sure why Bodhi is still not allowing the update to be submitted for stable even though the tests have been waived, this is odd. I ran the greenwave query manually and it returns (in part): "policies_satisfied": true, "unsatisfied_requirements": [] which should always satisfy Bodhi. If I've figured this out before (as Kalev implied), then I've forgotten it now. :P But whenever the new Bodhi version actually does get released and deployed, it tweaks several things in this area, so whatever the problem is may get fixed. Hopefully, once I re-run the openQA tests and they actually pass, Bodhi will be happy. 4. The email notifications should be customizable via https://apps.fedoraproject.org/notifications/ , I believe. I do agree it would be good if we could tweak some defaults in the notification code to not notify you when you do things to your own stuff, as you likely don't need a notification in that case. But I never get around to doing this for my own account, let alone sending a patch to make it better for everyone... -- Adam Williamson Fedora QA IRC: adamw | Twitter: adamw_ha https://www.happyassassin.net ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to
Re: Fedora 35 security update of curl blocked for a month
On Tuesday, November 2, 2021 4:19:23 PM CET Kalev Lember wrote: > My understanding is that the test that failed and is blocking the push to > stable is the openQA test. When I discussed a similar issue that a GNOME > megaupdate ran into with adamw a few weeks ago, he said that the way to > retrigger openQA tests is to either edit the builds in the update or > unpush/submit it again to testing, and that the retrigger tests button > doesn't do anything for openQA tests. Apparently Bodhi also has some kind > of issue with waiving openQA tests so waiving doesn't work in practice. :) > > Maybe it's worth a try here to see if unpushing and resubmitting to testing > helps? And if it doesn't, maybe ask on irc in #fedora-qa to see if they can > help get the openQA tests for the update going again? > > Hope this helps, > Kalev Thanks for the suggestion! I have just tried it. It seems to be one step backwards now but it might help with some delay... Kamil ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: Fedora 35 security update of curl blocked for a month
On Tue, Nov 2, 2021 at 3:50 PM Kamil Dudka wrote: > On Tuesday, November 2, 2021 3:37:03 PM CET Fabio Valentini wrote: > > Maybe multiple people attempting to waive test results and re-triggering > > tests while things are still pending is not a good idea? > > > > It looks like the re-triggered tests failed again, after the tests had > been > > waived, overriding the waiver. (please correct me if I'm wrong) > > > > Fabio > > > > (PS: sorry if this shows up as HTML email, I don't have access to my > Fedora > > machine right now) > > To be sure, I tried to do both actions (waive and request stable) in a > short > period of time but the result is still the same. Another batch of useless > e-mail notifications is now coming my way... > My understanding is that the test that failed and is blocking the push to stable is the openQA test. When I discussed a similar issue that a GNOME megaupdate ran into with adamw a few weeks ago, he said that the way to retrigger openQA tests is to either edit the builds in the update or unpush/submit it again to testing, and that the retrigger tests button doesn't do anything for openQA tests. Apparently Bodhi also has some kind of issue with waiving openQA tests so waiving doesn't work in practice. :) Maybe it's worth a try here to see if unpushing and resubmitting to testing helps? And if it doesn't, maybe ask on irc in #fedora-qa to see if they can help get the openQA tests for the update going again? Hope this helps, Kalev ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: Fedora 35 security update of curl blocked for a month
On Tuesday, November 2, 2021 3:37:03 PM CET Fabio Valentini wrote: > Maybe multiple people attempting to waive test results and re-triggering > tests while things are still pending is not a good idea? > > It looks like the re-triggered tests failed again, after the tests had been > waived, overriding the waiver. (please correct me if I'm wrong) > > Fabio > > (PS: sorry if this shows up as HTML email, I don't have access to my Fedora > machine right now) To be sure, I tried to do both actions (waive and request stable) in a short period of time but the result is still the same. Another batch of useless e-mail notifications is now coming my way... Kamil ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: Fedora 35 security update of curl blocked for a month
On Tue, Nov 2, 2021, 15:31 Miro Hrončok wrote: > On 02. 11. 21 15:10, Mattia Verga via devel wrote: > > Il 02/11/21 14:43, Kamil Dudka ha scritto: > >> On Tuesday, November 2, 2021 2:17:28 PM CET Kamil Dudka wrote: > >>> On Tuesday, November 2, 2021 1:58:02 PM CET Miro Hrončok wrote: > On 02. 11. 21 8:47, Kamil Dudka wrote: > > On September 22 I submitted a Fedora 35 update of curl, which > obsoleted > > a previously submitted security update of curl. The update has > reached > > karma +13 since then, yet I was unable to make Bodhi push the update > to > > > > stable: > > > https://bodhi.fedoraproject.org/updates/FEDORA-2021-1d24845e93 > > > > I can see that there are some automated tests failing but I have no > idea > > where the tests come from or how to waive their results. > To waive their results: > $ bodhi updates waive FEDORA-2021-1d24845e93 "Test didn't run" > >>> Thanks for the hint! I have just tried it but there seems to be no > status > >>> update as of yet. The current status is still "testing". > >> As a side-effect I received 49 identical e-mails from > notificati...@fedoraproject.org > >> with not very specific subject "fedmsg notification" and the following > link inside: > >> > >> > https://waiverdb-web-waiverdb.app.os.fedoraproject.org/api/v1.0/waivers/9123 > >> > >> Kamil > > > > It appears that the tests are now waived, so you can push the update to > > stable as usual. > > The right column says: > >"All required tests passed" > > The latest message from the comments/karma section says: > >"This update's test gating status has been changed to 'failed'." > > And the push to stable action is not available. > Maybe multiple people attempting to waive test results and re-triggering tests while things are still pending is not a good idea? It looks like the re-triggered tests failed again, after the tests had been waived, overriding the waiver. (please correct me if I'm wrong) Fabio (PS: sorry if this shows up as HTML email, I don't have access to my Fedora machine right now) > -- > Miro Hrončok > -- > Phone: +420777974800 > IRC: mhroncok > ___ > devel mailing list -- devel@lists.fedoraproject.org > To unsubscribe send an email to devel-le...@lists.fedoraproject.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure > ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: Fedora 35 security update of curl blocked for a month
On 02. 11. 21 15:10, Mattia Verga via devel wrote: Il 02/11/21 14:43, Kamil Dudka ha scritto: On Tuesday, November 2, 2021 2:17:28 PM CET Kamil Dudka wrote: On Tuesday, November 2, 2021 1:58:02 PM CET Miro Hrončok wrote: On 02. 11. 21 8:47, Kamil Dudka wrote: On September 22 I submitted a Fedora 35 update of curl, which obsoleted a previously submitted security update of curl. The update has reached karma +13 since then, yet I was unable to make Bodhi push the update to stable: https://bodhi.fedoraproject.org/updates/FEDORA-2021-1d24845e93 I can see that there are some automated tests failing but I have no idea where the tests come from or how to waive their results. To waive their results: $ bodhi updates waive FEDORA-2021-1d24845e93 "Test didn't run" Thanks for the hint! I have just tried it but there seems to be no status update as of yet. The current status is still "testing". As a side-effect I received 49 identical e-mails from notificati...@fedoraproject.org with not very specific subject "fedmsg notification" and the following link inside: https://waiverdb-web-waiverdb.app.os.fedoraproject.org/api/v1.0/waivers/9123 Kamil It appears that the tests are now waived, so you can push the update to stable as usual. The right column says: "All required tests passed" The latest message from the comments/karma section says: "This update's test gating status has been changed to 'failed'." And the push to stable action is not available. -- Miro Hrončok -- Phone: +420777974800 IRC: mhroncok ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: Fedora 35 security update of curl blocked for a month
On Tuesday, November 2, 2021 3:10:47 PM CET Mattia Verga via devel wrote: > It appears that the tests are now waived, so you can push the update to > stable as usual. > > Mattia I wish I could but it is unfortunately sill not the case: $ bodhi updates request FEDORA-2021-1d24845e93 stable Requirement not met Required tests did not pass on this update Kamil ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: Fedora 35 security update of curl blocked for a month
Il 02/11/21 14:43, Kamil Dudka ha scritto: > On Tuesday, November 2, 2021 2:17:28 PM CET Kamil Dudka wrote: >> On Tuesday, November 2, 2021 1:58:02 PM CET Miro Hrončok wrote: >>> On 02. 11. 21 8:47, Kamil Dudka wrote: On September 22 I submitted a Fedora 35 update of curl, which obsoleted a previously submitted security update of curl. The update has reached karma +13 since then, yet I was unable to make Bodhi push the update to stable: https://bodhi.fedoraproject.org/updates/FEDORA-2021-1d24845e93 I can see that there are some automated tests failing but I have no idea where the tests come from or how to waive their results. >>> To waive their results: >>> $ bodhi updates waive FEDORA-2021-1d24845e93 "Test didn't run" >> Thanks for the hint! I have just tried it but there seems to be no status >> update as of yet. The current status is still "testing". > As a side-effect I received 49 identical e-mails from > notificati...@fedoraproject.org > with not very specific subject "fedmsg notification" and the following link > inside: > > > https://waiverdb-web-waiverdb.app.os.fedoraproject.org/api/v1.0/waivers/9123 > > Kamil It appears that the tests are now waived, so you can push the update to stable as usual. Mattia ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: Fedora 35 security update of curl blocked for a month
On Tuesday, November 2, 2021 2:17:28 PM CET Kamil Dudka wrote: > On Tuesday, November 2, 2021 1:58:02 PM CET Miro Hrončok wrote: > > On 02. 11. 21 8:47, Kamil Dudka wrote: > > > On September 22 I submitted a Fedora 35 update of curl, which obsoleted > > > a previously submitted security update of curl. The update has reached > > > karma +13 since then, yet I was unable to make Bodhi push the update to > > > > > > stable: > > > https://bodhi.fedoraproject.org/updates/FEDORA-2021-1d24845e93 > > > > > > I can see that there are some automated tests failing but I have no idea > > > where the tests come from or how to waive their results. > > > > To waive their results: > > $ bodhi updates waive FEDORA-2021-1d24845e93 "Test didn't run" > > Thanks for the hint! I have just tried it but there seems to be no status > update as of yet. The current status is still "testing". As a side-effect I received 49 identical e-mails from notificati...@fedoraproject.org with not very specific subject "fedmsg notification" and the following link inside: https://waiverdb-web-waiverdb.app.os.fedoraproject.org/api/v1.0/waivers/9123 Kamil ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: Fedora 35 security update of curl blocked for a month
On Tuesday, November 2, 2021 1:58:02 PM CET Miro Hrončok wrote: > On 02. 11. 21 8:47, Kamil Dudka wrote: > > On September 22 I submitted a Fedora 35 update of curl, which obsoleted > > a previously submitted security update of curl. The update has reached > > karma +13 since then, yet I was unable to make Bodhi push the update to > > > > stable: > > https://bodhi.fedoraproject.org/updates/FEDORA-2021-1d24845e93 > > > > I can see that there are some automated tests failing but I have no idea > > where the tests come from or how to waive their results. > > To waive their results: > > $ bodhi updates waive FEDORA-2021-1d24845e93 "Test didn't run" Thanks for the hint! I have just tried it but there seems to be no status update as of yet. The current status is still "testing". The only action that is available to me is "Unpush", which is not really helpful. > To actually run the tests: there is a *Re-Trigger Tests* button in the ride > column of the update in bodhi. Also: > > $ bodhi updates trigger-tests FEDORA-2021-1d24845e93 I clicked the button multiple times in the past. It did not help. Kamil ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: Fedora 35 security update of curl blocked for a month
On 02. 11. 21 8:47, Kamil Dudka wrote: On September 22 I submitted a Fedora 35 update of curl, which obsoleted a previously submitted security update of curl. The update has reached karma +13 since then, yet I was unable to make Bodhi push the update to stable: https://bodhi.fedoraproject.org/updates/FEDORA-2021-1d24845e93 I can see that there are some automated tests failing but I have no idea where the tests come from or how to waive their results. To waive their results: $ bodhi updates waive FEDORA-2021-1d24845e93 "Test didn't run" To actually run the tests: there is a *Re-Trigger Tests* button in the ride column of the update in bodhi. Also: $ bodhi updates trigger-tests FEDORA-2021-1d24845e93 -- Miro Hrončok -- Phone: +420777974800 IRC: mhroncok ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: Fedora 35 security update of curl blocked for a month
On Tue, Nov 02, 2021 at 09:49:45AM +0100, Kamil Dudka wrote: > On Tuesday, November 2, 2021 9:14:31 AM CET Peter Robinson wrote: > > On Tue, Nov 2, 2021 at 7:48 AM Kamil Dudka wrote: > > > On September 22 I submitted a Fedora 35 update of curl, which obsoleted > > > a previously submitted security update of curl. The update has reached > > > karma +13 since then, yet I was unable to make Bodhi push the update to > > > stable: > > > > > > > > > > > > https://bodhi.fedoraproject.org/updates/FEDORA-2021-1d24845e93 > > > > > > > > > > > > I can see that there are some automated tests failing but I have no idea > > > where the tests come from or how to waive their results. The tests > > > directory in the f35 branch in Fedora git has not been touched since > > > 2017: > > > > > > > > > > > > https://src.fedoraproject.org/rpms/curl/c/c7e4ac60 > > > > > > > > > > > > Any idea how to move the update forward? > > > > > > Well I don't know about the tests but you could have filed it as a > > blocker/freeze exception [1] for F-35 as we have a policy for fixing > > CVEs for things that are shipped in core artifacts because things like > > installers/Live images etc aren't updated over the life of the > > release, that ship has now sailed but please be aware of the process > > going forward especially for something as core as curl. Yep, if there's a security-relevant update, a freeze exception should be filed. > > [1] https://qa.fedoraproject.org/blockerbugs/ > > Thanks for heads up! Nevertheless, curl upstream releases each 8 weeks and > each release usually contains some security fixes. So, if the images do not > get updated over the life of the release, we will be in a similar situation > a few weeks later anyway. And we always need to balance the risk and profit > for any last minute changes... How many of those issues are relevant to the functionality used by the installer? E.g. bugs in gopher:// or ftp:// don't really matter. Zbyszek ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: Fedora 35 security update of curl blocked for a month
On Tuesday, November 2, 2021 9:14:31 AM CET Peter Robinson wrote: > On Tue, Nov 2, 2021 at 7:48 AM Kamil Dudka wrote: > > > > > > > On September 22 I submitted a Fedora 35 update of curl, which obsoleted > > a previously submitted security update of curl. The update has reached > > karma +13 since then, yet I was unable to make Bodhi push the update to > > stable: > > > > > > > > https://bodhi.fedoraproject.org/updates/FEDORA-2021-1d24845e93 > > > > > > > > I can see that there are some automated tests failing but I have no idea > > where the tests come from or how to waive their results. The tests > > directory in the f35 branch in Fedora git has not been touched since > > 2017: > > > > > > > > https://src.fedoraproject.org/rpms/curl/c/c7e4ac60 > > > > > > > > Any idea how to move the update forward? > > > Well I don't know about the tests but you could have filed it as a > blocker/freeze exception [1] for F-35 as we have a policy for fixing > CVEs for things that are shipped in core artifacts because things like > installers/Live images etc aren't updated over the life of the > release, that ship has now sailed but please be aware of the process > going forward especially for something as core as curl. > > [1] https://qa.fedoraproject.org/blockerbugs/ Thanks for heads up! Nevertheless, curl upstream releases each 8 weeks and each release usually contains some security fixes. So, if the images do not get updated over the life of the release, we will be in a similar situation a few weeks later anyway. And we always need to balance the risk and profit for any last minute changes... Kamil ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: Fedora 35 security update of curl blocked for a month
On Tue, Nov 2, 2021 at 7:48 AM Kamil Dudka wrote: > > On September 22 I submitted a Fedora 35 update of curl, which obsoleted > a previously submitted security update of curl. The update has reached > karma +13 since then, yet I was unable to make Bodhi push the update to > stable: > > https://bodhi.fedoraproject.org/updates/FEDORA-2021-1d24845e93 > > I can see that there are some automated tests failing but I have no idea > where the tests come from or how to waive their results. The tests > directory in the f35 branch in Fedora git has not been touched since 2017: > > https://src.fedoraproject.org/rpms/curl/c/c7e4ac60 > > Any idea how to move the update forward? Well I don't know about the tests but you could have filed it as a blocker/freeze exception [1] for F-35 as we have a policy for fixing CVEs for things that are shipped in core artifacts because things like installers/Live images etc aren't updated over the life of the release, that ship has now sailed but please be aware of the process going forward especially for something as core as curl. [1] https://qa.fedoraproject.org/blockerbugs/ ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure