[opensuse-releaseteam] Proposal to resolve the root cause behind whitelisting of Factory patterns for repo_checker
It appears that in order to workaround the intermittent false-negatives emitted by repo_checker a number of patterns have been whitelisted. As an aside, during my requests for feedback about issues and manual accepts for previous repo_checker nothing was really mentioned although we have since come across several cases that would have been present previously as well. As in this case of working around an issue it would be preferred if a discussion is started rather than me having to stumble across such workarounds. Currently whitelisted patterns: patterns-base-apparmor patterns-kde-kde_telepathy patterns-media-rest_cd_gnome patterns-media-rest_cd_kde patterns-media-rest_dvd This is certainly less than ideal as it means that any real problems will be ignored. In fact one of the oldest issues in against the repo_checker is in regards to packages reference by patterns being removed without any proper warning [1]. It is understandable given that they are false-negatives, but it seems are proper solution is in order. As a side-note this is related to the larger discussion about how often stagings will needed to be rebased now that repo_checker ensures an entire staging is installable instead of just the staged requests. This behavior is consistent in that all packages in letter stagings are required to build regardless of what requests are in that staging. repo_checker acts like an extension of OBS in that OBS would check that the BuildRequires can all be met before attempting to build while repo_checker ensures the Requires can be met. Currently, anything added to the rings must have all of the build dependencies present. This has led to packages being split and all sort of fun stuff to avoid bringing in too many dependencies. At the end of the day, packages in rings are only passed because all their dependencies are also available in the rings. Contrast that to patterns which while having their minimal build dependencies present do not have there install-time dependencies present. That combined with the exact version Requires causes the repo_checker to correctly find that they are not installable from the letter staging. Not having the install-time requirements met within the staging seems like a short-cut rather than an idealistically correct setup. If patterns are of enough importance to be in the rings, their install-time requirements ought to be as well. Otherwise, it would seem logical to remove them from the rings since they really are not being checked as the primary purpose of a pattern is to pull in other packages which cannot be confirmed. Alternatively, not having the hard version requirements would remove the repo_checker errors, but still fail if packages required by the pattern are removed. Either way, from what I can tell this should really be a process change rather than either special-casing in repo_checker or whitelisting to hide the problem. I would imagine all other false-negatives are likely in this same category and should be solved in the same way which should put the rebase question to rest with regards to the repo_checker. [1] https://github.com/openSUSE/osc-plugin-factory/issues/277 -- Jimmy -- To unsubscribe, e-mail: opensuse-releaseteam+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-releaseteam+owner@opensuse.org
On Wed, 2017-08-30 at 10:21 -0500, Jimmy Berry wrote:
It appears that in order to workaround the intermittent false- negatives emitted by repo_checker a number of patterns have been whitelisted. As an aside, during my requests for feedback about issues and manual accepts for previous repo_checker nothing was really mentioned although we have since come across several cases that would have been present previously as well. As in this case of working around an issue it would be preferred if a discussion is started rather than me having to stumble across such workarounds.
Currently whitelisted patterns:
patterns-base-apparmor patterns-kde-kde_telepathy patterns-media-rest_cd_gnome patterns-media-rest_cd_kde patterns-media-rest_dvd
Most can probably disappear already again - as they were temporarily needed (as an alternative to rebase a whole staging). Maybe we can have this kind of 'staging based, temporary ignores' as part of the project meta data the checker would take into account? Would be better than having a whitelist which I will keep forgetting to clean up.
This is certainly less than ideal as it means that any real problems will be ignored. In fact one of the oldest issues in against the repo_checker is in regards to packages reference by patterns being removed without any proper warning [1].
I tried to only add stuff which I understood when I saw them in staging (pattern-kde for example got updated, telepathy dropped, which meant the stuff in the existing stagings were no longer happy)
repo_checker acts like an extension of OBS in that OBS would check that the BuildRequires can all be met before attempting to build while repo_checker ensures the Requires can be met. Currently, anything added to the rings must have all of the build dependencies present. This has led to packages being split and all sort of fun stuff to avoid bringing in too many dependencies. At the end of the day, packages in rings are only passed because all their dependencies are also available in the rings.
I don't think every package in a ring has to be installable inside the ring. I can easily create a source package in ring0 that produces a FOO-doc package that has a Requires: texlive - yet, I certainly do not EVER want texlive in ring0. And as long as FOO has no build deps on texlive, there is no need to do so.
Contrast that to patterns which while having their minimal build dependencies present do not have there install-time dependencies present. That combined with the exact version Requires causes the repo_checker to correctly find that they are not installable from the letter staging. Not having the install-time requirements met within the staging seems like a short-cut rather than an idealistically correct setup. If patterns are of enough importance to be in the rings, their install-time requirements ought to be as well. Otherwise, it would seem logical to remove them from the rings since they really are not being checked as the primary purpose of a pattern is to pull in other packages which cannot be confirmed.
We care for SOME patterns - and the not for others.. the ones we care for are referenced by the testdvd creation script - and the kiwi file gets invalidated if the pattern is not installable.
Alternatively, not having the hard version requirements would remove the repo_checker errors, but still fail if packages required by the pattern are removed. Either way, from what I can tell this should really be a process change rather than either special-casing in repo_checker or whitelisting to hide the problem.
Most of the issues I'd seen around patterns in stagings is that things change in oS:F - and if the patterns are the only thing holding off repo-checker from passing it, I'm certainly not willing to rebase a staging and have it build a couple hours again. Hence back to the proposal: can we have the repo_checker exception for a staging project as part of the staging project directly instead of a global config ? Cheers, Dominique
On Wednesday, August 30, 2017 10:30:39 AM CDT Dominique Leuenberger / DimStar wrote:
I don't think every package in a ring has to be installable inside the ring.
I can easily create a source package in ring0 that produces a FOO-doc package that has a Requires: texlive - yet, I certainly do not EVER want texlive in ring0. And as long as FOO has no build deps on texlive, there is no need to do so.
I do not disagree that packages inside of rings are not always installable within the ring (hence the root of pattern issue). In fact that was my primary point, that they should be treated just like build requirements. Otherwise, we may end up shipping a ring package that is not installeable which seems to void the main idea behind having it in a ring.
We care for SOME patterns - and the not for others.. the ones we care for are referenced by the testdvd creation script - and the kiwi file gets invalidated if the pattern is not installable.
Sure, but for those we do not care about it begs if they should be in rings.
Most of the issues I'd seen around patterns in stagings is that things change in oS:F - and if the patterns are the only thing holding off repo-checker from passing it, I'm certainly not willing to rebase a staging and have it build a couple hours again.
Not having to rebase for such a case is definitely better and I was not suggesting that it was not a good idea. Rather avoiding having to tweak the whitelist would seem preferable if possible.
Hence back to the proposal: can we have the repo_checker exception for a staging project as part of the staging project directly instead of a global config ?
This seems like a good suggestion in that is also mirrors the proposal for a ring command and the workflow in general. If the problems could be avoiding on a more general level that would certainly seem better to me, but if no desire to make changes to achieve that goal this would seem the next best. The plan for the ring command and all other such staging information is stored in psuedometa (project description yaml). Alternatively, the remote config could be extended to support per staging project overrides, but would need a place to put it (ie a package) unless somehow morphed into psuedometa. Not sure if this would applicable to other commands/variables. Something to thing about. -- Jimmy -- To unsubscribe, e-mail: opensuse-releaseteam+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-releaseteam+owner@opensuse.org
On Wed, 2017-08-30 at 11:04 -0500, Jimmy Berry wrote:
On Wednesday, August 30, 2017 10:30:39 AM CDT Dominique Leuenberger / DimStar wrote:
I don't think every package in a ring has to be installable inside the ring.
I can easily create a source package in ring0 that produces a FOO- doc package that has a Requires: texlive - yet, I certainly do not EVER want texlive in ring0. And as long as FOO has no build deps on texlive, there is no need to do so.
I do not disagree that packages inside of rings are not always installable within the ring (hence the root of pattern issue). In fact that was my primary point, that they should be treated just like build requirements. Otherwise, we may end up shipping a ring package that is not installeable which seems to void the main idea behind having it in a ring.
The rings are not shipped (separately) - they are not 'visible' in the product but are there for 'us' to have some basic bootstrap packages and the minimal set of what we want to safeguard to not break against each other (what needs to be fixed as a minimum before a gcc update or glibc update can get in for example)
We care for SOME patterns - and the not for others.. the ones we care for are referenced by the testdvd creation script - and the kiwi file gets invalidated if the pattern is not installable.
Sure, but for those we do not care about it begs if they should be in rings.
You overestimate what the rings are good for I think
Hence back to the proposal: can we have the repo_checker exception for a staging project as part of the staging project directly instead of a global config ?
This seems like a good suggestion in that is also mirrors the proposal for a ring command and the workflow in general. If the problems could be avoiding on a more general level that would certainly seem better to me, but if no desire to make changes to achieve that goal this would seem the next best.
right - could be someting like 'osc staging repocheckignore binary' or whatever - I don't mind much how the interface to it will be.
The plan for the ring command and all other such staging information is stored in psuedometa (project description yaml). Alternatively, the remote config could be extended to support per staging project overrides, but woudh need a place to put it (ie a package) unless somehow morphed into psuedometa. Not sure if this would applicable to other commands/variables. Something to thing about.
But all in all happy we agree on the general way forward PS: how comes this list has an invalid post header? List-Post: <mailto:opensuse-releaseteamopensuse.org> whenever I hit reply to list, I get an invalid email address filled in my client.
On Wednesday, August 30, 2017 11:16:08 AM CDT Dominique Leuenberger / DimStar wrote:
The rings are not shipped (separately) - they are not 'visible' in the product but are there for 'us' to have some basic bootstrap packages and the minimal set of what we want to safeguard to not break against each other (what needs to be fixed as a minimum before a gcc update or glibc update can get in for example)
My point was that had OBS had installcheck functionality from the beginning the ring setup would likely be a bit different. It seems fairly arbitrary to stop at BuildRequires as something that builds, but does not install is many times not much more useful to the end-user than something that does not build. Seems more like a tooling issue which we can now resolve. Usage of the whitelist for this purpose is a workaround for the ring workflow. Something we can do, but it still seems a bit questionable. -- Jimmy -- To unsubscribe, e-mail: opensuse-releaseteam+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-releaseteam+owner@opensuse.org
On Wednesday, August 30, 2017 11:16:08 AM CDT Dominique Leuenberger / DimStar wrote:
But all in all happy we agree on the general way forward
Created "osclib/conf: provide mechanism for staging specific setting overrides" [1] to track the conclusion assuming rings are not to be changed. [1] https://github.com/openSUSE/osc-plugin-factory/issues/1122 -- Jimmy -- To unsubscribe, e-mail: opensuse-releaseteam+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-releaseteam+owner@opensuse.org
I'll mirror a discussion from Staging:K here as the comments will be lost once it is accepted. ---- @dimstar: can't install python-kdebase4-4.11.22-9.23.x86_64: package python-kdebase4-4.11.22-9.23.x86_64 requires python-kde4 >= 4.14.0, but none of the providers can be installed nothing provides python2-sip(api) = 12.1 needed by python- kde4-4.14.3-8.3.x86_64 (we have python2-sip-4.19.3-14.1.x86_64) This is a bogus error: first, it's 'nice to have' that non-ring stuff does not break - but seeing > 150 build fails, we are clearly not there. And even more importantly: once python-kde4 is rebuilt against python-sip's upgrade, the dependency will be corrected - so we really need to have some better logic here than blocking ring packages for non-ring issues that are no issues. (as a workaround I linked python-kde4 into K:DVD, where we luckily can build it and thus 'prove' to repo-checker, that the issue is not real. ---- @jberry: python-kdebase4 is provided by kdebase4-workspace which is a ring package hence why the message was included. The fact that a ring package has an install-time dependency on a non-ring was the entire point of my email to opensuse-releaseteam. This would not work for build-time requirements and why it is arbitrarily allowed for install-time seems more like an accident since the previous repo-checker did not properly review the stagings. The filtering can be restricted to just the packages updated in requests, but even then if kdebase4-workspace was updated this error would be rightfully shown. There is no magical way for an automated tool to know that this will be resolved once the updates are merged into the target project. If we are depending on that workflow why bother staging things anyway? The proper solution is to include install-time dependencies of ring packages in the rings. The rings are already a giant short-cut that is a compromise for speed rather than correctness. The lack of install-time dependencies is really an issue. Some of them can probably be eliminated through re-packaging, but this is just not correct. I understand that the rings are not shipped to end-users, but the entire point is to provide a subset of packages and verify that they are not broken by updates. The fact that the new tool correctly analyzes staging projects as a whole, just as a single build failure will block the entire staging, is a case of do not blame the messenger for a sketchy practice. If the package in question was to be installed for an openQA test it would crap during installation. Any other solutions are just ways of hiding the errors and crossing our fingers that they will not exist once merged. The only real solution is including install-time deps in rings. In fact any package checked on `openQA` already includes install-time dependencies. Simply inconsistent since nothing complained before. `ghc-*` packages in adi stagings having to include all the other ghc packages to have the requires properly rebuilt is another example. That is the correct way to handle such packages and it would have to be an exception if the `repo- checker` was hacked for letter staging screwy ring practices. When you start adding exceptions that is usually a sign you are doing something wrong. -- Jimmy -- To unsubscribe, e-mail: opensuse-releaseteam+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-releaseteam+owner@opensuse.org
Since the issue of how to deal with "leaky rings" keeps manifesting itself in different forms it seems like another attempt at explaining why this happens, what are the options, and why changing the ring policy is the best choice seems worth the effort. The fundamental difference between adi stagings and letter stagings is that adi build the request packages directly on top of Factory whereas letter stagings also include all ring packages. The partial exception being ghc-* packages in which all other ghc-* packages are inherited into the adi staging. Previously, the repo_checker would review packages from devel projects which built against Factory. This meant that the check was essentially the same as the repo_checker checking adi stagings with the exception that the majority of the time it would review requests individually instead of grouped. With the new repo_checker reviewing stagings (since after all the entire staging process exists) all adi packages are reviewed essentially the same other than any non-submitted/grouped devel package changes are excluded as they should be. The major difference occurs in how ring packages are reviewed since they are reviewed along with all the other ring packages at the point which they were last rebased. The various problems stem from: - changes that cause install-time dependency issues until rebased - updates to ring packages that require non-ring packages to be rebuilt The second issue can take two primary forms: 1) a package (such as a pattern) that has a Requires on a non-ring package and no BuildRequires on that package 2) a multi-spec package which does not build all subpackages in rings, but has exact version requirements on the root package Both of the two core issues stem from the fact that rings have all BuildRequires satisfied within the rings, but not all Requires satisfied withing the rings. In the majority of cases seen the issues would be resolved once the packages were accepted into Factory and the non-ring packages rebuilt. This certainly is not guaranteed to always be the case and as I have said before seems rather arbitrary to draw the line at that point. The root concept of rings seems to be a subset of packages that are "important" that are rebuilt to try and ensure they are not broken by updates to other "important" packages. As such the whole idea (as is enforced with BuildRequires) is that they are self-contained. The proposed workarounds are as follows: - enhance manual whitelist workflow to be staging specific and clear on accept - ignore all errors caused by non-ring packages Interestingly, both of these problems are resolved by simply requiring the rings to have self-contained Requires just as they already have for BuildRequires. Given the alternative is ignoring the problems either via manual or automated means the result is virtual finger-crossing assuming the errors will be resolved once merged into Factory. Being certain and consistent seems like a much better strategy than hoping for the best and looking the other way. For whatever reason there seems to be disagreement on this point even though it is the root cause of all these issues. The alternatives are a fair bit of extra work either on the part of Factory staging masters and to automate ignoring the problems and lower the confidence that the result is correct. As you are probably already aware I am never in favor of adding manual steps where they can be avoided so "enhancing" the whitelist feature which was intended to be temporary is the complete wrong direction from my view. Given the strong resistance to fixing the rings to make them consistent and correct I will cover the possible alternatives for automation. The biggest hurdle is the lack of structured output from the install check and file conflict tools. During the rewrite I added some basic parsing to be able to report problems on devel packages, but that parsing only looks at which packages are effected by the issue not at the details of why. Given the variety of forms and complexity of reasons parsing the text would seem less than ideal. The alternative is reworking those tools to provide structured output that can be interpreted by the repo_checker. As Ludwig already indicated upstream does not have interest in such changes and suggested we rewrite the tools as needed (and thus also maintain such changes). Assuming we had that structured output an error for a ring package caused by a non-ring package could be ignored. Obviously, the repo_checker has no way to know if this will actually be resolved on merge or if it is a real problem. Basically if any package listed in the detailed section is a non-ring package ignore the error. At this point it seems like even bothering to layer the letter stagings on top of Factory is then pointless if all the errors produced are then ignored. Interestingly this would effectively treat the letter stagings as contained units...since that is really what they want to be and how the staging masters want the repo_checker to treat them. Really begs why we just don't make it so. The other questionable area is how to treat file conflicts with non-ring packages as again they may be real, but may be resolved on update...there really is not any way for repo_checker to know. Hopefully, this makes it clear why it makes far more sense to make the rings consistent and be self-contained not just for BuildRequires, but Requires as well. The alternatives are extremely sub-optimal and require a lot of effort while never achieving a high level of confidence in a correct result. Having self-contained rings however achieves both. -- Jimmy -- To unsubscribe, e-mail: opensuse-releaseteam+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-releaseteam+owner@opensuse.org
participants (2)
-
Dominique Leuenberger / DimStar -
Jimmy Berry