OpenStack Core Infrastructure

Set up private gerrit for security reviews

Bug #1083101 reported by Thierry Carrez on 2012-11-26

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Core Infrastructure	In Progress	High	Khai Do	OpenStack Core Infrastructure kilo

Bug Description

Handling security patches has been an issue so far: our solution involves posting them to Launchpad and tracking new patchsets and approvals a bit manually, then pray for the stuff to be mergeable and tests to pass when we open the bug at the end. This resulted in unnecessary pain and delays.

We should use a private Gerrit instance that would be stripped of all of the potential leak areas (like the gitweb thing). We would track patch versions and approvals there, bringing people in as necessary. Tests would be triggered from there to give us reasonable confidence that the patch is good. Once approved we would push them to stakeholders, and once the embargo is over we would use some magic to copy the patch and approvals over to the public Gerrit, where the patch would enter the normal gate workflow.

Tags:

Revision history for this message

Thierry Carrez (ttx) wrote on 2012-11-26:

This bug replaces bug 902052, which was about adding private reviews to the same Gerrit instance that is used for everything else.

Monty Taylor (mordred) on 2012-11-26

Changed in openstack-ci:
status:	New → Triaged
importance:	Undecided → High
milestone:	none → folsom
milestone:	folsom → grizzly

Revision history for this message

James E. Blair (corvus) wrote on 2013-04-17:

https://etherpad.openstack.org/HavanaVulnerabilityManagement

Revision history for this message

Clark Boylan (cboylan) wrote on 2013-04-23:

TL;DR of summit session and etherpad linked above. Current plan is to run a second gerrit to facilitate code review for embargoed patches. But we will not run an entire second shadow environment (too much effort for ~50 patches a year). Instead the infra team will make it easier for devs to run devstack gate themselves so that they can independently verify patches.

Changed in openstack-ci:
milestone:	grizzly → havana

Khai Do (zaro0508) on 2013-09-06

Changed in openstack-ci:
assignee:	nobody → Khai Do (zaro0508)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2013-09-23: Fix proposed to config (master)

Fix proposed to branch: master
Review: https://review.openstack.org/47937

Changed in openstack-ci:
status:	Triaged → In Progress

Clark Boylan (cboylan) on 2013-10-22

Changed in openstack-ci:
milestone:	havana → icehouse

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2013-10-26: Fix merged to config (master)

Reviewed: https://review.openstack.org/49448
Committed: http://github.com/openstack-infra/config/commit/6a2e31da4baa0e7e68c17a60a7594017495572a3
Submitter: Jenkins
Branch: master

commit 6a2e31da4baa0e7e68c17a60a7594017495572a3
Author: Khai Do <email address hidden>
Date: Wed Oct 2 15:17:01 2013 -0700

decouple mysql setup from gerrit module

    This commit moves the MySQL configuration from the gerrit puppet
    module into a seperate mysql puppet module. The purpose of
    this change is to allow us to more easily customise gerrit's
    mysql configuration for each instance of gerrit that we deploy..

Partial-Bug: 1083101
Change-Id: Ibcc31b3fce8af54229fd4de69a49842ac1c428ae

Revision history for this message

Khai Do (zaro0508) wrote on 2013-11-21:

Capturing email thread on this topic..
http://lists.openstack.org/pipermail/openstack-infra/2013-October/000323.html

Revision history for this message

Khai Do (zaro0508) wrote on 2013-11-21:

Opps wrong link, here is the correct link..
http://lists.openstack.org/pipermail/openstack-infra/2013-October/000314.html

Revision history for this message

Khai Do (zaro0508) wrote on 2013-12-10:

This is an update. We have a good idea how to do this. However this are probably many ways to implement we just need to get together and decide how we want to make it work. Here is the WIP change for it: https://review.openstack.org/#/c/47937

Jeremy Stanley (fungi) on 2014-10-27

Changed in openstack-ci:
milestone:	icehouse → kilo

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-02-28: Change abandoned on system-config (master)

Change abandoned by Khai Do (<email address hidden>) on branch: master
Review: https://review.openstack.org/47937
Reason: This has been sitting around for ages so obviously we don't want it. Upstream gerrit is proposing to add a 'private changes' feature which might be a solution for this use case.

https://gerrit-review.googlesource.com/#/c/94557/
https://gerrit-review.googlesource.com/#/c/98134/
https://gerrit-review.googlesource.com/#/c/97230/

Revision history for this message

Edy Burak (edy-seo) wrote on 2023-12-26:

#10

On December 26, 2023, in Mardan, the prayer times are as follows: Fajr at 05:46 AM, Dhuhr (Zuhr) at 12:12 PM, Asr at 02:50 PM, Maghrib at 05:09 PM, and Isha at 06:38 PM. These timings align with the Islamic date of Jumādá al-ākhirah 13, 1445. Additionally, we offer prayer timings for the next 30 days for your convenience.

https://theprayertimings.com/mardan-prayer-times/

Report a bug

This report contains Public information

Everyone can see this information.

Duplicates of this bug

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.