| Luca Milanesio | c0af9b8 | 2024-07-23 17:08:48 +0100 | [diff] [blame] | 1 | --- |
| 2 | title: "Gerrit ESC Meeting Minutes" |
| 3 | tags: esc |
| 4 | keywords: esc minutes |
| 5 | permalink: 2024-07-23-esc-minutes.html |
| 6 | summary: "Minutes from the ESC meeting held on July 23, 2024" |
| 7 | hide_sidebar: true |
| 8 | hide_navtoggle: true |
| 9 | toc: true |
| 10 | --- |
| 11 | |
| 12 | ## Engineering Steering Committee Meetings, July 23 and Mar 6, 2024 |
| 13 | |
| 14 | Patrick Hiesel, Luca Milanesio, Saša Živkov |
| 15 | |
| 16 | ### Update to Servlet API 6.0 (ESC of July 23) |
| 17 | |
| 18 | JGit [moved to Jakarta 5.0 back in May 2024](https://eclipse.gerrithub.io/c/eclipse-jgit/jgit/+/189213) |
| 19 | and when its `next` branch was merged to `master`, it made it incompatible |
| 20 | with Gerrit that still relies on servlet API v3.1.0. |
| 21 | JGit has now moved [to Jakarta Servlet-API v6.0](https://eclipse.gerrithub.io/c/eclipse-jgit/jgit/+/201617). |
| 22 | |
| 23 | The impact of upgrading Gerrit to Jakarta is large and it implies amending |
| 24 | all imports to javax.servlet. Patrick is checking the impact and status |
| 25 | of Google's implementation of the Servlet API. |
| 26 | |
| 27 | ### SPAM on gerrit-review.googlesource.com (ESC of July 23) |
| 28 | |
| Luca Milanesio | cffdf6e | 2024-08-19 06:03:21 -0700 | [diff] [blame^] | 29 | Spammers have been targeting Gerrit changes on gerrit-review.googlesource.com. |
| Luca Milanesio | c0af9b8 | 2024-07-23 17:08:48 +0100 | [diff] [blame] | 30 | |
| 31 | The repo-discuss mailing list has a message moderation policy that allows |
| 32 | existing regular members to keep on posting without delay; however, new |
| 33 | users would require a manual approval by a moderator. Taking the same |
| 34 | approach for Gerrit would be one option. |
| 35 | |
| 36 | Patrick offered to check also another option where gerrit-review.googlesource.com |
| 37 | could require strong authentication (e.g. using Google Authenticator or |
| 38 | a valid Mobile Phone with text message verification) for allowing |
| 39 | users to access Gerrit. |
| 40 | |
| 41 | ### Security issues when running Gerrit on Windows Server (ESC of July 23) |
| 42 | |
| 43 | Gerrit Code Review is not actively tested, verified and supported on |
| 44 | Microsoft Windows Server. It is a common agreement amongst the ESC members |
| 45 | that the status-quo needs to be made more visible and explicit in Gerrit |
| 46 | documentation. It is not in the interest of the community to activey |
| 47 | fix problems reported on Windows Server, including security issues, when |
| 48 | they do not impact Linux or other popular Unix platforms. |
| 49 | |
| 50 | Luca has created [Change 433917](https://gerrit-review.googlesource.com/c/gerrit/+/433917) |
| 51 | for amending Gerrit documentation accordingly. |
| 52 | |
| 53 | ### Library compliance speed-lane (ESC of Mar 6) |
| 54 | |
| 55 | Saša highlighted that the library updates in the Gerrit code-base are |
| 56 | often slowed down by delays in obtaining the `Library-Compliance +1` and |
| 57 | therefore changes getting merged. |
| 58 | |
| 59 | Patrick highlighted the challenges at Google where all the libraries need |
| 60 | to aligned across all products, which takes some time because of the challenges |
| 61 | in making the associated code changes. |
| 62 | |
| 63 | Luca proposed a _speed-lane_ process where dependencies updates can be trialled |
| 64 | in the Gerrit open-source community first and then adopted by Google at later |
| 65 | time once the products alignment process is complete. That would be potentially |
| 66 | feasible if the dependencies changes do not involve source code changes in the |
| 67 | Gerrit code-base but only a different build process. |
| 68 | |
| 69 | The ESC agreed to document the _speed-lane_ process and make a trial for the |
| 70 | forthcoming dependencies updates, especially the urgent ones related to security |
| 71 | fixes in the 3rd party libraries. |
| 72 | |
| 73 | ### Gerrit-CI security incident - CVE-2024-23897 (ESC of Mar 6) |
| 74 | |
| 75 | Luca reported the status of the actions taken to mitigate the impact of the |
| 76 | [Jenins security vulnerability CVE-2024-23897](https://nvd.nist.gov/vuln/detail/CVE-2024-23897) |
| 77 | on the Gerrit CI. The sequence of events, mitigations and post-mortem analysis |
| 78 | is published on [Google Docs](https://docs.google.com/document/d/1vDjunjDrLYYpVoVON-B_c83f56Nhm-lMDMjXmYmFYk4/edit#heading=h.okh75qn4l4b9) |
| 79 | and all actions have been completed, with the split of the CI system into two parts: |
| 80 | |
| 81 | - [Public Gerrit CI](https://gerrit-ci.gerritforge.com) for incoming change validations but |
| 82 | without any stored credentials or keys. |
| 83 | |
| 84 | - Private Gerrit CI (not exposed to any external network) for publishing of the Gerrit |
| 85 | homepage and other End-to-End validations that would require the use of stored credentials. |
| 86 | |
| 87 | ### Transition of the RBE executions to BuildBuddy (ESC of Mar 6) |
| 88 | |
| 89 | Luca has presented the [work made by Alvaro](https://groups.google.com/g/repo-discuss/c/jQPgaKmaNQA) |
| 90 | for transitioning the execution of Gerrit RBE builds to BuildBuddy with on-premises workload executors. |
| 91 | |
| 92 | The ESC agreed to transitioning the executions to BuildBuddy / on-premises. |
