Hi, On 2021-05-28 16:10:25 +0200, Ludwig Nussel wrote:
tl;dr if you rely on package reviews for your development process in OBS make sure requests have a revision. Only osc shows the information you are looking for.
Note that just relying on the presence of a revision is not "sufficient" because it can point to a link (see below). <SNIP>
AFAIK this feature has been in OBS since the very beginning, it's just well hidden as the official interfaces osc and the webui do add a revision when creating requests. There is no way to turn that off either. Also tools such as bots that use osc as python module automatically generate submit request with revision. This is not because the server enforces it but because the client code does it.
In case of the osc lib, it depends on how you use it. For instance, if you create a request via r = osc.core.Request() r.add_action('submit', src_project='openSUSE:Tools', src_package='osc', tgt_project='home:Marcus_H', tgt_package='abc') r.create(conf.config['apiurl']) no revision is added. However, if you use r.create(conf.config['apiurl'], addrevision=True) the API takes care of adding a revision. <SNIP>
Meanwhile the factory-auto bot was enhanced to decline unversioned requests to Factory (thanks Fabian).
Does it also check if the specified revision points to an expanded file set? For instance, let's assume that - prj/tgt is a plain package (no _link file) - prj/lnk is a link to prj/tgt Now, create a request via r = osc.core.Request() rev = '40e1a6ff74681c68a001adc3ca0c6474' r.add_action('submit', src_project='prj', src_package='lnk', src_rev=rev, tgt_project='prj', tgt_package='bar') r.create(conf.config['apiurl']) where 40e1a6ff74681c68a001adc3ca0c6474 points to an unexpanded file set (that is, it has a _link file). Such a request is displayed like this $> osc rq show 1234 Request: #1234 submit: prj/lnk@40e1a6ff74681c68a001adc3ca0c6474 -> prj/bar ... $> Even if you now run "osc rq show -d 1234", the "expanded" diff is displayed. That is, it is probably not apparent from a reviewer's POV that rev 40e1a6ff74681c68a001adc3ca0c6474 is in fact a link. Now, if a review is accepted, the "attacker" can modify prj/lnk's link target. If the request is eventually accepted, the modified files end up prj/bar. Marcus