Closed Bug 1348852 Opened 7 years ago Closed 7 years ago

Add a commit hook that requires a special keyword to override changes to NSPR and NSS

Categories

(Developer Services :: Mercurial: hg.mozilla.org, enhancement)

Product:
Developer Services
Component:
Mercurial: hg.mozilla.org
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: KaiE, Assigned: KaiE)

References

Details

Attachments

(2 files, 4 obsolete files)

1348852-v4.patch
8.76 KB, patch
gps
: review+
Details | Diff | Splinter Review
1348852-v5.patch
6.84 KB, patch
gps
: review+
Details | Diff | Splinter Review 
In the recent past, it has repeatedly happened, that people broke the rule that Firefox shouldn't use any local patches on top of NSPR (except in emergencies).

Could we use the following approach?

"Require that any commit to directory /nsprpub
 contains the string OVERRIDE_NSPR_RELEASE in the commit message."
See Also: → 1348853
I've filed bug 1348853 to request a similar hook for NSS.
Masatoshi, thanks a lot for suggesting a commit hook in bug 1347932.

Do you know who could help us with getting that implemented?
Does this bug have the correct component?
Flags: needinfo?(VYV03354)
I've been pointed to 
  https://hg.mozilla.org/hgcustom/version-control-tools/file/tip/hghooks/mozhghooks

We should work on a python script to implement the hook.
Assignee: nobody → kaie
Flags: needinfo?(VYV03354)
Summary: Add a commit hook that requires a special keyword to override changes to NSPR → Add a commit hook that requires a special keyword to override changes to NSPR and NSS
See Also: 1348853
Attached patch 1348852-v1.patch (obsolete) — Splinter Review 

    
  
Component: Build Config → Mercurial: hg.mozilla.org
Product: Core → Developer Services
Version: 52 Branch → unspecified

    
    

    
  
Comment on attachment 8849544 [details] [diff] [review]
1348852-v1.patch

What do you think?

I suggest to add this hook to
  mozilla-central, 
  mozilla-inbound, 
  autoland, 
  mozilla-aurora, 
  mozilla-beta, 
  mozilla-release, and 
  mozilla-esr52.

        Attachment #8849544 -
        Flags: superreview?(gps)

        Attachment #8849544 -
        Flags: review?(ted)

    
    

    
  
Comment on attachment 8849544 [details] [diff] [review]
1348852-v1.patch

The concept seems fine. I'm going to let gps do the actual review here since he's more in-tune with our Mercurial customizations.

        Attachment #8849544 -
        Flags: superreview?(gps)

        Attachment #8849544 -
        Flags: review?(ted)

        Attachment #8849544 -
        Flags: review?(gps)

    
    

    
  
Comment on attachment 8849544 [details] [diff] [review]
1348852-v1.patch

Review of attachment 8849544 [details] [diff] [review]:
-----------------------------------------------------------------

This is mostly good. Should get r+ on next round of review.

::: hghooks/mozhghooks/prevent_nspr_nss_changes.py
@@ +1,4 @@
> +# This software may be used and distributed according to the terms of the
> +# GNU General Public License version 2 or any later version.
> +
> +import grp

Unused import.

@@ +18,5 @@
> +        ctx = repo[rev]
> +        have_nspr = any(f.startswith('nsprpub/') for f in ctx.files())
> +        have_nss = any(f.startswith('security/nss/') for f in ctx.files())
> +
> +        if have_nspr:

You can just inline this:

if any(f.startswith...:

@@ +31,5 @@
> +        if nspr_nodes:
> +            ui.write('(%d changesets contain changes to protected nsprpub/ '
> +                     'directory: %s)\n' % (len(nspr_nodes), ', '.join(nspr_nodes)))
> +
> +            if repo.changectx('tip').description().find("UPGRADE_NSPR_RELEASE") == -1:

if 'UPGRADE_NSPR_RELEASE' not in repo['tip'].description():

@@ +41,5 @@
> +        if nss_nodes:
> +            ui.write('(%d changesets contain changes to protected security/nss/ '
> +                     'directory: %s)\n' % (len(nss_nodes), ', '.join(nss_nodes)))
> +
> +            if repo.changectx('tip').description().find("UPGRADE_NSS_RELEASE") == -1:

Please also fix this revision access and text test.

@@ +47,5 @@
> +                res = 1
> +            else:
> +                ui.write('good, you said you are following the rules and are upgrading to an NSS release snapshot, permission granted.\n')
> +        
> +        if res == 1:

if res:

@@ +56,5 @@
> +            ui.write('\n')
> +            ui.write('these directories are kept in sync with the canonical '
> +                     'upstream repositories at\n'
> +                     'https://hg.mozilla.org/projects/nspr and '
> +                     'https://hg.mozilla.org/projects/nspr\n')

You said nspr twice.

::: hghooks/tests/test-prevent-nspr-nss-changes.t
@@ +11,5 @@
> +
> +  $ touch file0
> +  $ hg -q commit -A -m "initial"
> +
> +  $ USER=someone@example.com hg push

USER here should be irrelevant. Please remove it here and in the rest of the file.

@@ +39,5 @@
> +  
> +  these directories are kept in sync with the canonical upstream repositories at
> +  https://hg.mozilla.org/projects/nspr and https://hg.mozilla.org/projects/nspr
> +  
> +  please contact the NSPR/NSS developers to get your changes merged, released and uplifted.

Reading the test and relating to the experience of seeing this message, my next question is "how do I contact the NSPR or NSS developers?" Can you add some minimal instructions here?

@@ +92,5 @@
> +  [255]
> +
> +With magic word, can change security/nss/
> +
> +  $ USER=someone@example.com hg rollback

`hg rollback` is deprecated and should not be used by users or by tests. Please add "[extensions]\nstrip=" to the hgrc in the test and use `hg strip -r .` instead.

        Attachment #8849544 -
        Flags: review?(gps) → review-

    
    

    
  

      
      
      
      

        Attached patch
          
          
        1348852-v1.patch (obsolete)
        — Splinter Review
      

    


  
Thanks a lot for your review.

This updated patch should address all of your requests.

        Attachment #8849544 -
        Attachment is obsolete: true

        Attachment #8865854 -
        Flags: review?(gps)

    
    

    
  

      
      
      
      

        Attached patch
          
          
        1348852-v2.patch (obsolete)
        — Splinter Review
      

    


  
Correct new patch.

        Attachment #8865854 -
        Attachment is obsolete: true

        Attachment #8865854 -
        Flags: review?(gps)

        Attachment #8865855 -
        Flags: review?(gps)

    
    

    
  
Oh, also since I reviewed this, we now have a much saner development/test experience for hg hooks and extensions in version-control-tools. It is documented at https://mozilla-version-control-tools.readthedocs.io/en/latest/hgmods/index.html#creating-and-maintaining-a-development-environment. tl;dr

  $ ./create-environment hgdev
  $ source venv/hgdev/bin/activate
  $ ./run-tests -j8 hghooks

There is no Docker and the above commands should take like 2 minutes.

    
    

    
  
Comment on attachment 8865855 [details] [diff] [review]
1348852-v2.patch

Review of attachment 8865855 [details] [diff] [review]:
-----------------------------------------------------------------

I said you'd likely get r+ after the 2nd review. I apologize, but I forgot to point out a critical issue: consideration for uplifts and merges.

Our hooks typically short circuit for uplifts:

    if 'a=release' in repo['tip'].description().lower():
        return 0

And for merge commits (since ctx.files() contains a union of files modified in both sides of a merge):

    if len(ctx.parents()) > 1:
        continue

See prevent_webidl_changes.py for an example.

This change should be pretty straightfoward and I'm fine not writing test coverage for it (since if we fail to handle these cases sheriffs tend to get quite vocal about it).

Sorry for the added review cycle: I should have caught this during the first review.

::: hghooks/mozhghooks/prevent_nspr_nss_changes.py
@@ +43,5 @@
> +                #ui.write("=== NSS change, but couldn't find NSS magic word===\n")
> +                res = 1
> +            else:
> +                ui.write('good, you said you are following the rules and are upgrading to an NSS release snapshot, permission granted.\n')
> +        

Nit: trailing whitespace

        Attachment #8865855 -
        Flags: review?(gps) → review-

    
    

    
  

      
      
      
      

        Attached patch
          
          
        1348852-v3.patch (obsolete)
        — Splinter Review
      

    


  
No problem, thanks again for reviewing.

        Attachment #8865855 -
        Attachment is obsolete: true

        Attachment #8866733 -
        Flags: review?(gps)

    
    

    
  

      
      
      
      

        Attached patch
          
          
        1348852-v4.patchSplinter Review
      

    


  
Just a minor update to v3, I've added comments for the "skip uplifts" and "skip merges" actions.

        Attachment #8866733 -
        Attachment is obsolete: true

        Attachment #8866733 -
        Flags: review?(gps)

    
    

    
  
Comment on attachment 8867116 [details] [diff] [review]
1348852-v4.patch

Review of attachment 8867116 [details] [diff] [review]:
-----------------------------------------------------------------

Looks good to me. I'll land this for you. I may deploy today if we don't have any other major changes to hg.mo infra in version-control-tools. But I won't activate the hook until next week because I don't like fire drills over the weekend.

        Attachment #8867116 -
        Flags: review+

    
    

    
  
I just landed this. Not sure where pulsebot is at.

Anyway, there are just enough changes in version-control-tools that I don't feel comfortable deploying this today. So needinfo me to remind myself to deploy and configure this next week.
Flags: needinfo?(gps)

    
    

    
  
Pushed by gszorc@mozilla.com:
https://hg.mozilla.org/hgcustom/version-control-tools/rev/55a931c19a1d
hghooks: hook to verify changes to NSS and NSPR are approved ; r=gps
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED

    
    

    
  
This is deployed. Hook activated on:

mozilla-central
integration/autoland
integration/mozilla-inbound
releases/mozilla-aurora
releases/mozilla-beta
releases/mozilla-release
releases/mozilla-esr52

If it issues false positives, ping someone in #vcs. If a normal VCS admin isn't around, make noise in #moc or #sysadmins.

To disable the hook:

1. ssh into hgssh4.dmz.scl3.mozilla.com
2. Comment out (with #) the line referencing "prevent_nspr_nss_changes" in /repo/hg/mozilla/<repo>/.hg/hgrc
3. Save file (changes take effect immediately)

Then needinfo gps@mozilla.com to dig into the aftermath.
Flags: needinfo?(gps)

    
    

    
  
(In reply to Gregory Szorc [:gps] from comment #18)
> This is deployed. Hook activated on:

Thanks a lot!

For future reference:
- upgrading to a newer snapshot of NSS requires the following keyword in the commit message:
  UPGRADE_NSS_RELEASE
- upgrading to a newer snapshot of NSPR requires the following keyword in the commit message:
  UPGRADE_NSPR_RELEASE

    
    

    
  
I was blocked on merging mozilla-inbound to mozilla-central because of this hook. A commit on inbound updated NSS to a new version. That commit had its own "UPGRADE_NSS_RELEASE" in the message, but the merge wouldn't go through until I added that to the merge commit message.

The code is supposed to skip the hook on merges, but that doesn't seem to be working. gps says that's a bug in the hook
Flags: needinfo?(kaie)
Flags: needinfo?(gps)

    
    

    
  
I don't think it's critical enough to back out the hook (I can just add the keyword), but it would be nice to get this fixed sometime soon.

    
    

    
  
(In reply to Gregory Szorc [:gps] from comment #12)
> 
> And for merge commits (since ctx.files() contains a union of files modified
> in both sides of a merge):
> 
>     if len(ctx.parents()) > 1:
>         continue
> 
> See prevent_webidl_changes.py for an example.


I might not have used the correct code when implementing this.

What I have:

    for rev in repo.changelog.revs(repo[node].rev()):
        ctx = repo[rev]
	# Skip merge changesets.
        if len(ctx.parents()) > 1:
            continue

What prevent_webidl_changes.py has:

    for i in reversed(changesets):
        c = repo.changectx(i)
        if len(c.parents()) > 1:
            # Skip merge changesets
            continue

Are these equivalent?

If they are equivalent, should we skip on "a=merge" ?
Flags: needinfo?(kaie)

    
    

    
  
repo.changectx(i) and repo[rev] are basically the same.

The issue is we do a first pass to see if *any* changesets touch NSS/NSPR then only examine repo['tip'] for the special syntax. On mozilla-central, repo['tip'] could be a merge, a backout, etc. Most likely not the change touching NSS/NSPR.

We'll want to change the hook to look for the special syntax in the changeset actually touching the files, excluding merges.
Flags: needinfo?(gps)

    
  
Flags: needinfo?(kaie)

    
    

    
  
I'm again hitting a merge that's getting rejected because the merge commit doesn't have the magic words (this time, for both the NSS *and* NSPR bits of the hook) while the actual commits changing things do. 

Any progress in updating the hook?

    
    

    
  
Could you help me construct a sample series of commits (locally), that I could use to test that the updated hook will handle your merges correctly?
Status: RESOLVED → REOPENED
Flags: needinfo?(kaie)
Resolution: FIXED → ---

    
    

    
  
(In reply to Gregory Szorc [:gps] from comment #23)
> 
> We'll want to change the hook to look for the special syntax in the
> changeset actually touching the files, excluding merges.

Ok, got it. Will attach new patch.

    
    

    
  

      
      
      
      

        Attached patch
          
          
        1348852-v5.patchSplinter Review
      

    


  

        Attachment #8875267 -
        Flags: review?(gps)

    
    

    
  
Comment on attachment 8875267 [details] [diff] [review]
1348852-v5.patch

Review of attachment 8875267 [details] [diff] [review]:
-----------------------------------------------------------------

Some comments on the changes, to make reviewing easier.

::: hghooks/mozhghooks/prevent_nspr_nss_changes.py
@@ +9,4 @@
>      if source in ('pull', 'strip'):
>          return 0
>  
> +	# Leave uplifts alone.

whitespace only

@@ +33,1 @@
>  

These are the important changes. If the respective keyword is present for an individual commit, don't remember the node, just skip it.

@@ +37,4 @@
>          if nspr_nodes:
>              ui.write('(%d changesets contain changes to protected nsprpub/ '
>                       'directory: %s)\n' % (len(nspr_nodes), ', '.join(nspr_nodes)))
> +            res = 1

We don't need to check for the keyword here. We know there wasn't a keyword, because we added the node to the list. Just report which commit we're rejecting.

@@ -44,1 @@
>  

Skipping the "good" message, it seems unnecessary.

@@ +41,5 @@
>  
>          if nss_nodes:
>              ui.write('(%d changesets contain changes to protected security/nss/ '
>                       'directory: %s)\n' % (len(nss_nodes), ', '.join(nss_nodes)))
> +            res = 1

same for nss

@@ -54,1 @@
>  

same for nss

@@ +55,5 @@
>                       'https://hg.mozilla.org/projects/nspr and '
>                       'https://hg.mozilla.org/projects/nss\n')
>              ui.write('\n')
> +            ui.write('Please contact the NSPR/NSS maintainers at nss-dev@mozilla.org or on IRC\n'
> +                     'channel #nss to request that your changes are merged, released and uplifted.\n')

Better wrapping, to avoid very long lines.

::: hghooks/tests/test-prevent-nspr-nss-changes.t
@@ +110,3 @@
>  
> +Multiple changesets handled properly, each changeset touching protected
> +files must contain the correct corresponding keyword

clarify that we changed the rules

@@ +139,5 @@
>    rollback completed
>    abort: pretxnchangegroup.prevent_nspr_nss hook failed
>    [255]
>  
> +  $ hg -q commit --amend -m 'add security/nss/file3, UPGRADE_NSS_RELEASE'

only add the nss keyword, because the latest commit touches nss only.

The nspr keyword contained in the previous commit is sufficient to approve the nspr change from that previous commit.

    
    

    
  
Please click the "Splinter Review" link next to attachment v5, to view my comments at the correct places.

    
    

    
  
Comment on attachment 8875267 [details] [diff] [review]
1348852-v5.patch

Review of attachment 8875267 [details] [diff] [review]:
-----------------------------------------------------------------

I'll land this for you so I can normalize some tabs to spaces.

        Attachment #8875267 -
        Flags: review?(gps) → review+

    
    

    
  
I forgot to reference the bug number in the commit message. Derp.

https://hg.mozilla.org/hgcustom/version-control-tools/rev/aef5b2f44147
Status: REOPENED → RESOLVED
Closed: 7 years ago7 years ago
Resolution: --- → FIXED

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: