Hi all,
I am new to Apache and still finding my way around how to approach and
discuss issues around here, Gavin McDonald invited me to post to this
list in lieu of having the discussion on the issue I had created here:
https://issues.apache.org/jira/browse/INFRA-21500
Normally, I would provide more concrete and fully detailed proposals,
but as I haven't found my footing here yet, I will try to simply open a
conversation.
I mean for this to be a two tier conversation, as it makes no sense to
me to solve this issue solely for our project without solving it for
all apache projects unilaterally (or at least all apache projects which
use github).
For our immediate needs, as the subject line indicates (and the issue
also describes), pre-merge CI for the BuildStream project is broken as
of our migration to ASF github.
Pre-merge CI works for privileged few core developers who have direct
access to the repository: https://github.com/apache/buildstream, but
this is by no means sufficient.
If CI does not work for regular external contributors, first time patch
submitters or drive by patch contributors, then I think it is fair to
just say "CI is broken" (justifying why this is important in this post
will only make my post unnecessarily long).
So with that said, I would like to ask the community some questions:
o What is the correct way of approaching pre-merge CI for ASF github projects
?
If you have "the answer" to this, please provide it and disregard
the entire remainder of this email, I will be happy to fall in line,
maybe I just was not directed to the correct wiki page telling me
how to do this :)
o Looking at JIRA 21500 above and other linked issues, this appears
to be blocked by security concerns.
If the worst thing that can happen is that our runners are down for
a couple of days and some ephemeral caches get flushed/lost as a
result, and that this only ever happens once in a blue moon, then
maybe we are just being overly precautious here and the solution is
to simply accept this low impact vulnerability ?
To quote/paraphrase others: are we allowing perfect to be the enemy
of good in this instance ?
o As I understand it, we have one team spread thin handling
infrastructure, and we have a lot of projects which are using a
variety of services to achieve the same goals.
Is there already an initiative in place to unify the services which
must be used to host an apache project ?
We already migrated from GitLab to GitHub for the sake of entering
the ASF, and I think as long as some basic (but modern) criteria is
met, we would be happy to have these things dictated to us if it
means that in general we have better ability to maintain our infra.
I *will* cry inside if you force us to use CVS and JIRA, but I
think you get my drift here...
o Alternatively, if we are going to be open about every project doing
every thing in their own way, then, why not just allow ASF projects
to use external services like GitHub and GitLab ?
As mentioned in JIRA 21500 (linked above), CI works fine in GitHub
as long as we are not in the apache namespace.
Does it make sense to be spending concrete efforts on the ground
merely to satisfy a matter of policy ? Maybe the policy needs to
shift ?
Best Regards,
-Tristan
