Hi Cephers, These are the minutes of today's meeting (quicker than usual since some CLT members were at Ceph Days NYC): - *[Yuri] Upcoming Releases:* - Pending PRs for Quincy - Sepia Lab still absorbing the PR queue after the past issues - [Ernesto] Github started sending dependabot alerts to devels (previously it was only sent to org admins) - https://github.blog/2023-01-17-dependabot-alerts-are-now-visible-to-more-developers/ - Most don't necessarily involve a risk (e.g.: Javascript dependency only exploitable in a back-end/node.js server)... - ... but it might still cause some unnecessary concern among devs/users regarding Ceph security status - Current list of vulnerable dependencies: https://github.com/ceph/ceph/security/dependabot - 40% are Dashboard Javascript ones (most could be dismissed since only impact when used on node.js apps) - Remaining ones are: - Python: requirements.txt (not relevant since Python package versions change with every distro and we assume distro-maintainers will fix those) - It might become more relevant when we start packaging Python deps ( https://github.com/ceph/ceph/pull/47501/) - Golang: "/examples/rgw" path (Casey opened https://tracker.ceph.com/issues/58828, but maybe we should just dismiss the alert?) - [Ernesto] Enabling Github Auto-merge feature in the Ceph repo - https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/incorporating-changes-from-a-pull-request/automatically-merging-a-pull-request - Use case: - There's a PR with approvals but flaky CI tests (API, make check, ...) (example: https://github.com/ceph/ceph/pull/50201) - We could retrigger tests and come back to the PR page multiple times until all tests pass... - ... Or we just click the "Auto-merge" button, fill out the merge message as usual, and let Github merge it when the CI tests pass. - It'd reduce cognitive load, especially with small PRs (docs, backport PRs) where the overhead of the PR process is more noticeable. - There's still one issue: - Keeping Redmine in sync with Github - It could be done: when clicking the Auto-merge or still requiring reviewers to poll the PR until passed and then updating Redmine (not ideal) - A Github action that update a tracker when Github merges the PR would be very useful - Yuri/Ilya: discussion around backport requirement reverse order (needs-qa label vs. approvals vs. CI tests passing). - Greg pointed out the risks of auto-merge merging PRs with patches submitted after passing requirements or approvals. Auto-merge status should be reset on new commits. - Decision: not to enable it. - Yuri suggested auto-labeling PRs with passing CI, so they better know when to start QA testing. - Separate discussion on CI flakiness & stability and lack of clear points of contact (Kefu and David did that). For unit tests it's clear that affected teams should do that, but for infrastructure issues there's still a vacuum. Kind Regards, Ernesto _______________________________________________ ceph-users mailing list -- ceph-users@xxxxxxx To unsubscribe send an email to ceph-users-leave@xxxxxxx
 |