[opensuse-factory] Run pre_checkin.sh scripts via a service
Hi, accordingly to https://en.opensuse.org/openSUSE:Build_Service_Concept_SourceService there is a possibilty to run pre_checkin.sh scripts via a service. But in the following decription there exists no explanation nor an example how this supposed to work ... also the command osc api /service does not show anything about this feature, maybe as it is local only. If so I'd like to see how this can be automatically done at checkin time. Werner -- "Having a smoking section in a restaurant is like having a peeing section in a swimming pool." -- Edward Burr
On Mon, 2020-04-06 at 11:25 +0200, Dr. Werner Fink wrote:
Hi,
accordingly to https://en.opensuse.org/openSUSE:Build_Service_Concept_SourceService there is a possibilty to run pre_checkin.sh scripts via a service.
But in the following decription there exists no explanation nor an example how this supposed to work ... also the command
osc api /service
does not show anything about this feature, maybe as it is local only. If so I'd like to see how this can be automatically done at checkin time.
I don't think anybody ever implemented that service - and I'd be really concerned by it, security wise. A simple 'osc branch; fix; osc ci' - and any randomly present pre_checkin.sh file being executed on my machine? no thanks! Also, that would certainly never be executed server side - for the same reason. Running a random, untrusted script would require OBS to spawn a VM for every checkin to somewhat contain what the script can do. That would turn our really expensive action. For many of the pre_checkin.sh - containing packages it is often rather simple to move to _multibuild; most pre_checkin.sh I'd seen only toggle some flag at the beginning of a spec file, but otherwise have exact copies of the spec. The only drawback here: you might make my life (and I return yours) more miserable when we have to deal with separation in rings (e.g: I can't split flavors between ring0 and ring1, so multibuild is no option there; we have some logic to 'disable' a flavor inside the ring if it's something we don't want to care for that much) Hope that helps, Dominique
On 2020/04/06 11:38:40 +0200, Dominique Leuenberger / DimStar wrote:
On Mon, 2020-04-06 at 11:25 +0200, Dr. Werner Fink wrote:
Hi,
accordingly to https://en.opensuse.org/openSUSE:Build_Service_Concept_SourceService there is a possibilty to run pre_checkin.sh scripts via a service.
But in the following decription there exists no explanation nor an example how this supposed to work ... also the command
osc api /service
does not show anything about this feature, maybe as it is local only. If so I'd like to see how this can be automatically done at checkin time.
I don't think anybody ever implemented that service - and I'd be really concerned by it, security wise.
A simple 'osc branch; fix; osc ci' - and any randomly present pre_checkin.sh file being executed on my machine? no thanks!
Also, that would certainly never be executed server side - for the same reason. Running a random, untrusted script would require OBS to spawn a VM for every checkin to somewhat contain what the script can do. That would turn our really expensive action.
For many of the pre_checkin.sh - containing packages it is often rather simple to move to _multibuild; most pre_checkin.sh I'd seen only toggle some flag at the beginning of a spec file, but otherwise have exact copies of the spec. The only drawback here: you might make my life (and I return yours) more miserable when we have to deal with separation in rings (e.g: I can't split flavors between ring0 and ring1, so multibuild is no option there; we have some logic to 'disable' a flavor inside the ring if it's something we don't want to care for that much)
Hmmm ... my pre_checkin.sh does extract latest patch from a tar ball to add this to the package version number ... and I do not think that this can be done with _multibuild ... also not with the various scm services Werner -- "Having a smoking section in a restaurant is like having a peeing section in a swimming pool." -- Edward Burr
On Mon, 2020-04-06 at 11:45 +0200, Dr. Werner Fink wrote:
For many of the pre_checkin.sh - containing packages it is often rather
simple to move to _multibuild; most pre_checkin.sh I'd seen only toggle some flag at the beginning of a spec file, but otherwise have exact copies of the spec. The only drawback here: you might make my life (and I return yours) more miserable when we have to deal with separation in rings (e.g: I can't split flavors between ring0 and ring1, so multibuild is no option there; we have some logic to 'disable' a flavor inside the ring if it's something we don't want to care for that much)
Hmmm ... my pre_checkin.sh does extract latest patch from a tar ball to add this to the package version number ... and I do not think that this can be done with _multibuild ... also not with the various scm services
Indeed, and I'm happy I wrote 'for many'; your usecase is indeed quite specific and not coverable by any current service. What would be an option though is to have a Version: %(some shell code) that is getting the right version at build time. Not the best thing one can do - but it might be an option here. Cheers, Dominique
participants (2)
-
Dominique Leuenberger / DimStar -
Dr. Werner Fink