Set up private gerrit for security reviews

Bug #1083101 reported by Thierry Carrez on 2012-11-26
This bug affects 2 people
Affects Status Importance Assigned to Milestone
OpenStack Core Infrastructure
In Progress
Khai Do

Bug Description

Handling security patches has been an issue so far: our solution involves posting them to Launchpad and tracking new patchsets and approvals a bit manually, then pray for the stuff to be mergeable and tests to pass when we open the bug at the end. This resulted in unnecessary pain and delays.

We should use a private Gerrit instance that would be stripped of all of the potential leak areas (like the gitweb thing). We would track patch versions and approvals there, bringing people in as necessary. Tests would be triggered from there to give us reasonable confidence that the patch is good. Once approved we would push them to stakeholders, and once the embargo is over we would use some magic to copy the patch and approvals over to the public Gerrit, where the patch would enter the normal gate workflow.

Thierry Carrez (ttx) wrote :

This bug replaces bug 902052, which was about adding private reviews to the same Gerrit instance that is used for everything else.

Monty Taylor (mordred) on 2012-11-26
Changed in openstack-ci:
status: New → Triaged
importance: Undecided → High
milestone: none → folsom
milestone: folsom → grizzly
Clark Boylan (cboylan) wrote :

TL;DR of summit session and etherpad linked above. Current plan is to run a second gerrit to facilitate code review for embargoed patches. But we will not run an entire second shadow environment (too much effort for ~50 patches a year). Instead the infra team will make it easier for devs to run devstack gate themselves so that they can independently verify patches.

Changed in openstack-ci:
milestone: grizzly → havana
Khai Do (zaro0508) on 2013-09-06
Changed in openstack-ci:
assignee: nobody → Khai Do (zaro0508)

Fix proposed to branch: master

Changed in openstack-ci:
status: Triaged → In Progress
Clark Boylan (cboylan) on 2013-10-22
Changed in openstack-ci:
milestone: havana → icehouse

Submitter: Jenkins
Branch: master

commit 6a2e31da4baa0e7e68c17a60a7594017495572a3
Author: Khai Do <email address hidden>
Date: Wed Oct 2 15:17:01 2013 -0700

    decouple mysql setup from gerrit module

    This commit moves the MySQL configuration from the gerrit puppet
    module into a seperate mysql puppet module. The purpose of
    this change is to allow us to more easily customise gerrit's
    mysql configuration for each instance of gerrit that we deploy..

    Partial-Bug: 1083101
    Change-Id: Ibcc31b3fce8af54229fd4de69a49842ac1c428ae

Khai Do (zaro0508) wrote :
Khai Do (zaro0508) wrote :

This is an update. We have a good idea how to do this. However this are probably many ways to implement we just need to get together and decide how we want to make it work. Here is the WIP change for it:

Jeremy Stanley (fungi) on 2014-10-27
Changed in openstack-ci:
milestone: icehouse → kilo

Change abandoned by Khai Do (<email address hidden>) on branch: master
Reason: This has been sitting around for ages so obviously we don't want it. Upstream gerrit is proposing to add a 'private changes' feature which might be a solution for this use case.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers