Received: by 10.52.29.227 with SMTP id n3mr332643vdh.7.1328139540353;
        Wed, 01 Feb 2012 15:39:00 -0800 (PST)
X-BeenThere: reviewboard-dev@googlegroups.com
Received: by 10.52.64.241 with SMTP id r17ls37404vds.0.gmail; Wed, 01 Feb 2012
 15:39:00 -0800 (PST)
Received: by 10.52.72.230 with SMTP id g6mr373636vdv.5.1328139539973;
        Wed, 01 Feb 2012 15:38:59 -0800 (PST)
Received: by 10.52.72.230 with SMTP id g6mr373635vdv.5.1328139539963;
        Wed, 01 Feb 2012 15:38:59 -0800 (PST)
Return-Path: <j...@pobox.com>
Received: from out1-smtp.messagingengine.com (out1-smtp.messagingengine.com. [66.111.4.25])
        by gmr-mx.google.com with ESMTPS id jz14si161990vdb.1.2012.02.01.15.38.59
        (version=TLSv1/SSLv3 cipher=OTHER);
        Wed, 01 Feb 2012 15:38:59 -0800 (PST)
Received-SPF: neutral (google.com: 66.111.4.25 is neither permitted nor denied by domain of j...@pobox.com) client-ip=66.111.4.25;
Authentication-Results: gmr-mx.google.com; spf=neutral (google.com: 66.111.4.25 is neither permitted nor denied by domain of j...@pobox.com) smtp.mail=...@pobox.com; dkim=pass header...@messagingengine.com
Received: from compute5.internal (compute5.nyi.mail.srv.osa [10.202.2.45])
	by gateway1.nyi.mail.srv.osa (Postfix) with ESMTP id A065220BD3
	for <reviewboard-dev@googlegroups.com>; Wed,  1 Feb 2012 18:38:59 -0500 (EST)
Received: from frontend1.nyi.mail.srv.osa ([10.202.2.160])
  by compute5.internal (MEProxy); Wed, 01 Feb 2012 18:38:59 -0500
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=
	messagingengine.com; h=date:from:to:subject:in-reply-to
	:message-id:references:mime-version:content-type; s=smtpout; bh=
	IVEiuZWhwDOusmjbHJwxCksH3MY=; b=i6goW7udFzyzrT+7rOlDSAi0yCcBhSWF
	Nh8fdn7zK4XY1wgNSNVyVAuyUaS7ELnYJVxqDrVAVBDJhGSuIz8IVa5tZ45/5dIu
	AND3ecVv3/Wnl25UAZ9nqD+vFNMz1uJoip9wp43l+WoMt5VV8gxKY1i1sOz/QuOn
	nEK4ETkVFIE=
X-Sasl-enc: UPVpm7hF08gyb9/7HylAM2On4QoMid2Xyz2Fx1SS84AX 1328139539
Received: from alice (cpc3-nmal4-0-0-cust1298.croy.cable.virginmedia.com [82.43.165.19])
	by mail.messagingengine.com (Postfix) with ESMTPSA id 357658E008F
	for <reviewboard-dev@googlegroups.com>; Wed,  1 Feb 2012 18:38:59 -0500 (EST)
Date: Wed, 1 Feb 2012 23:38:52 +0000 (GMT)
From: John J Lee <j...@pobox.com>
To: reviewboard-dev@googlegroups.com
Subject: Re: Automated Static Analysis on Review Request
In-Reply-To: <CA+A4QR36trg25dPBZVs1pTHrVW3R2SM=+K2_4ikX-+0O+i_...@mail.gmail.com>
Message-ID: <alpine.DEB.2.00.1202012114090.2...@localhost6.localdomain6>
References: <CA+A4QR36trg25dPBZVs1pTHrVW3R2SM=+K2_4ikX-+0O+i_...@mail.gmail.com>
User-Agent: Alpine 2.00 (DEB 1167 2008-08-23)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII

On Mon, 30 Jan 2012, Steven MacLeod wrote:

> I'm currently writing a Review Board extension (ReviewBot) which aims to
> automate execution of static analysis tools on proposed code.

Great.


(RB below == ReviewBoard, not ReviewBot!)

>    ** Ship-it if no problems

As I'm sure you know, review workflows differ -- for example, some 
workflows allow commit when there's at least one ship-it.  In that 
workflow you probably prefer that the bot doesn't give a ship-it 
(otherwise, it's hard to prioritize your effort as a reviewer because you 
can't see quickly which reviews have a ship-it already and which don't). 
It would be nice if ReviewBot were to be as flexible as RB itself about 
that kind of variation.

While an arbitrary hook that can perform any action is completely 
flexible, no matter how simple it is to write a plugin, there's always 
some annoying work to implement the hook and adapt it to your PEP8 tool 
(or whatever it is the plugin does).  Nothing beats just installing 
somebody else's plugin and having it just work.

So, another way to preserve that flexibility, which I think is better 
because it's more convenient for the various kinds of RB user involved, 
would be for plugins to stay out of doing concrete actions like adding 
concrete RB comments, adding issues, adding a ship-it, etc.  This is in 
contrast to your web-hook idea as you first stated it, where the hook gets 
to make whatever RB API calls it likes.  Having the plugins not be 
responsible for those actions does also have the advantage that it would 
decouple the plugins from RB.  In principle, that would mean users of 
other review tools (notably gerrit) could contribute plugins that would 
work on RB (as well as on gerrit) -- your web hook idea fits well with 
that hope.

This makes life easy for people deploying RB, because they can just 
install the PEP8 plugin somebody else wrote, and start off by leaving 
ReviewBot set to its default behaviour for what actions to perform. 
Maybe they then have five minutes later to change some ReviewBot 
configuration to set a few flags like "Don't give a ship-it".

It makes life easy for plugin authors because they get an API to code to 
that's much simpler than the full RB API (see below).  And maybe a gerrit 
user already wrote the plugin they want, so they have nothing to do (maybe 
wishful thinking, but seems there's scope for a little bit of cooperation 
here).

Probably 90% of workflows could be dealt with using built-in ReviewBot 
code plus a couple of configuration options (add a ship it or not, add 
issues or not), but there's always the option of adding another hook in 
future to customize the actions arbitrarily.


> Mike Conley and I discussed the possibilities of a WebHooks extension to
> solve this problem. When a review is published, a web request could be
> fired off to ReviewBot on another server, which could run each tool, and
> then use the API to post the reviews.

Sounds easy (to use).  What arguments would the hook take?

Per my points above re flexibility to workflow and ease of use: how about, 
rather than suggesting that plugins use the full RB API, just exposing a 
very simple ReviewBot API to the plugins, which allows only for submitting 
a set of abstract comments.  By "abstract", I just mean not actual RB 
comments, but rather along the lines of (suitably REST-encoded) tuples 
(file path, start line number, end line number, severity).  ReviewBot 
itself is then responsible for turning those into concrete RB comments, 
issues, ship-its, etc.

(Side issue: With the severity field there I'm thinking it might be useful 
to allow for indicating potential problems where the tool can't be sure 
that the problem is real.)

Of course there's nothing here to stop the plugins doing RB API calls: I'm 
just suggesting that providing a simpler alternative is easier for both 
plugin authors and RB deployers.


> Another option Christian Hammond mentioned to me was using distributed task
> queues (See python Celery: http://celeryproject.org/). This is something
> being looked in to already for distributing the diff processing, and could
> also be applied to ReviewBot.

Perhaps that solves some problems for reviewboard (fair enough).  It 
doesn't sound like it solves a problem for ReviewBot plugin authors or 
people deploying RB?


Oops, that was much longer than I intended, sorry!


John