New issue
Advanced search Search tips

Issue 713280 link

Starred by 1 user
Status: Assigned
Owner:
dcheng@chromium.org
Cc:
jochen@chromium.org
dpranke@chromium.org
dcheng@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 3
Type: Bug



Sign in to add a comment

Automate adding security OWNERS files

Project Member Reported by reed@google.com, Apr 19 2017 
I made an edit to a "traits" file 

ui/gfx/ipc/skia/gfx_skia_param_traints.cc

and then the commit failed. The failure told me to add an OWNERS file to that directory, and to paste in some pre-defined text.

I'm dumb, and misinterpreted their directions, so I lost nearly a day trying "alternate" ways to fix it (e.g. adding more security reviewers)

If this is being automatically detected, with an automated "fix" in mind, can we actually automate this and not leave it for unsuspecting devs (assuming there are other directories that would need such a file added). Can this be done by a house-keeper bot and have those "needed" files get added/checked?

Comment 1 by dcheng@chromium.org, Apr 20 2017

Cc: dpranke@chromium.org dcheng@chromium.org
We want to do this to a presubmit, so that IPC reviewers don't have to do after the fact code reviews (and because the code will have already landed without security review).

I've seen a few other people confused by this message though; I guess one possibility is for the presubmit to directly modify your checkout. Though afaik, all the presubmit checks explicitly don't do that right now, since

1) non-committed changes may not be visible
2) the presubmit would not be idempotent

In addition, we'd want some sort of standardized formatting for OWNERS files so that automatically inserted lines don't stand out...

Given these issues, I don't think we can do it automatically. Do you see any possibility that a different error message would have made the fix more obvious?

Comment 2 by dpranke@chromium.org, Apr 20 2017 

Correct, we don't want presubmits to modify your checkout by default. Generally for this sort of thing we have errors like "X failed, run fix-X to fix it", where fix-X is some script to do the semi-automated thing.

Arguably we could add a mode to the presubmit check to ask if you wanted to fix the errors right then, though.

Comment 3 by dcheng@chromium.org, Apr 21 2017

Owner: dcheng@chromium.org
Status: Assigned (was: Untriaged)
I guess what we could do is make a simple command you could run. But I think we'd want a formatter for OWNERS files too then.

Proposal:
- Adding a formatter for OWNERS files
- Enabling it by default via some PRESUBMIT check
- Implement a simple script that can insert lines into OWNERS files, invoking the formatter
- Update the IPC security presubmit to point people at running this command.

Sound reasonable?

Comment 4 by dpranke@chromium.org, Apr 21 2017

Cc: jochen@chromium.org
I'm not sure that there's really anything to do when formatting owners files, given that they're just single lines of text with no indentation or anything. I suppose we could define an ordering, but it feels like that's probably more trouble than it's worth.

+jochen, who has actually been mucking in just this code lately.

Comment 5 by dcheng@chromium.org, Apr 21 2017 

Mostly it's just an ordering.

For example, we'd probably want TEAM/COMPONENTS lines near the top. It'd also be nice to have logically related blocks grouped together: it would be nice if the IPC-related rules stayed relatively close together, rather than getting interspersed throughout as rules are added/removed over time, etc. Maybe it doesn't really matter though.

Comment 6 by dpranke@chromium.org, Apr 21 2017 

I'm just worried that we could spend a lot of time debating orderings, and it's not particularly clear how we'd even be able to enforce them without trying to add a lot more structure to the files.
Project Member

Comment 7 by sheriffbot@chromium.org, Jul 19 2017

Labels: Hotlist-Google

Sign in to add a comment