www-infrastructure-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Davor Bonaci (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (INFRA-11644) Create a mergebot account
Date Tue, 26 Apr 2016 20:18:12 GMT

    [ https://issues.apache.org/jira/browse/INFRA-11644?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15258840#comment-15258840
] 

Davor Bonaci commented on INFRA-11644:
--------------------------------------

I think you may be implying a connection between "intent to contribute" and "user authentication"
/ "ICLA matching". I think all of those are valid questions, but not necessarily connected.
Let me comment on all of them.

> allowing a bot to merge changes into our version control does not provide sufficient
proof of intent to contribute

I'd disagree on that one. I think there's very little difference between "merging it yourself"
and "ordering the tool to merge". In both cases, you, as a committer, have made an explicit
decision / order to merge. The demonstrated intent seems to be exactly the same.

In fact, you could argue that "ordering the tool to merge" gives *stronger* proof of intent.
For example, it is not that hard to accidentally merge something when you are dealing with
multiple Git remotes / repositories, multiple branches, etc. Easy to mistake your own repository
for the Apache one, particularly when Git saves your passwords somewhere. Saying "Apache bot,
please merge" is much less subject to interpretation.

> verified that only authenticated users can cause the bot to proceed

I think this is a valid concern.

We were thinking of hard-coding specific user identities, that strictly match Apache Beam
committers. Those user names would be committed into the repository itself, so they could
be changed only by an authorized committer.

There are issues that persist still. For example, if Infra locks someones ASF account for
whatever reason, this would still allow them to proceed until we update the specific list
of white-listed users. However, I'd point out that this isn't particularly uncommon. All of
us have multiple accounts (unfortunately): ASF account, JIRA account, GitHub account, etc.
Locking one doesn't prevent others from doing harm.

If we have a strong pushback on hard-coding specific user identities, Mergebot could easily
call an API to validate someone's ASF status. For example, the Mergebot can automatically
cross-check against live Committer index on https://people.apache.org, use LDAP, or otherwise
verify user identity automatically managed by Infra. We have no problem for the Mergebot to
live in the Infra repository or otherwise give Infra any special powers to control and/or
audit Mergebot at any time.

--

I do 100% agree this is not a Legal question, purely an INFRA one.

> Create a mergebot account
> -------------------------
>
>                 Key: INFRA-11644
>                 URL: https://issues.apache.org/jira/browse/INFRA-11644
>             Project: Infrastructure
>          Issue Type: Wish
>          Components: Git
>            Reporter: Jean-Baptiste Onofré
>              Labels: #bugbash
>
> At Beam, we would like to setup a mergebot system which can merge PullRequests when they
have been reviewed (with a trigger keyword like LGTM).
> Instead of using a personal account to do the merge, we would like to use a "technical"
account.
> Is it possible to create such kind of account (for instance {{beam-mergebot}}) ?



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message