new_usages_require_review = True
include_rules = [ "+base/foo/bar" ]
--
--
Chromium Developers mailing list: chromi...@chromium.org
View archives, change email options, or unsubscribe:
http://groups.google.com/a/chromium.org/group/chromium-dev
---
You received this message because you are subscribed to the Google Groups "Chromium-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-dev...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-dev/CABiQX1UbNvrje4GYcHEECVeoQdtWCxwhY___7RDF9PkL8XjrAQ%40mail.gmail.com.
If //foo/bar requires review but //foo doesn't, can other components bypass the review requirement just by adding "//foo" to their include_rules?
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-dev/CAC_ixdwSG3uMyORWwuDGhOc0tzgTt6YGnPqMG0FKfofhbvaFNQ%40mail.gmail.com.
That's a good call out! I think this case is covered if //foo/bar also sets noparent=True, but wouldn't catch it in absence of that.
I don't see how this could be implemented in the absence of that, so please add noparent=True if this applies to you.
Thanks!On Tue, Oct 15, 2024 at 6:09 PM Andrew Grieve <agr...@chromium.org> wrote:That's a good call out! I think this case is covered if //foo/bar also sets noparent=True, but wouldn't catch it in absence of that.Could you verify (if you haven't) that setting noparent=True in //foo/bar means that a //foo/OWNERS +1 of a new DEP on //foo/bar won't satisfy the tooling?
I don't see how this could be implemented in the absence of that, so please add noparent=True if this applies to you.I suggest that we make it so that having `new_usages_require_review` *requires* `noparent`. The former is pretty much meaningless without the latter, but that might not be at all obvious when people add the flag (and nothing would necessarily alert them to it).
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-dev/CABiQX1V_wg-0%2B1RrS50GJtuckQfghqYKb_0JMN-hbDzwLz1V2w%40mail.gmail.com.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-dev/CAAHOzFDW%3DO%3Dzqin_Qas1N-EkQ%2BbFuOofJygqC-8c1wNH04jkbA%40mail.gmail.com.
Oooh, bikeshedding!
How about something like
[restricted|controlled|guarded|moderated]_dependency_management
On Tue, Oct 15, 2024 at 4:37 PM Tommy Nyquist <nyq...@chromium.org> wrote:Oooh, bikeshedding!Indeed :)
How about something like
[restricted|controlled|guarded|moderated]_dependency_managementAll good candidates. I'm currently liking the idea of just having "new_usages_require_review=True" replace "noparent=True". It pretty accurately describes what "noparent=True" means.--TommyOn Tue, Oct 15, 2024 at 12:47 PM Peter Kasting <pkas...@chromium.org> wrote:Perhaps just one flag, but it's named something semantic and general instead of behavioral and specific like these two flags.What common property of a directory results in behaviors like "ignore parents" and "require review of new usage" being true?"Usage requires human consideration"? "Sensitive contents"? "Usage is not mechanical"? "Local owners should verify uses"?PKOn Tue, Oct 15, 2024, 11:04 AM Andrew Grieve <agr...@chromium.org> wrote:On Tue, Oct 15, 2024 at 12:27 PM Colin Blundell <blun...@chromium.org> wrote:Thanks!On Tue, Oct 15, 2024 at 6:09 PM Andrew Grieve <agr...@chromium.org> wrote:That's a good call out! I think this case is covered if //foo/bar also sets noparent=True, but wouldn't catch it in absence of that.Could you verify (if you haven't) that setting noparent=True in //foo/bar means that a //foo/OWNERS +1 of a new DEP on //foo/bar won't satisfy the tooling?The code I'm adding would not catch this at OWNERS approvals level.However, the code that actually checks your #includes against DEPS files (//tools/checkdeps), should fail in this scenario. If there's a bug with it, then that's kinda tangential to this change (but there are unit tests and many real usages, so it very likely works fine).Once the normal checkdeps check forces you to add in the child entry, then the OWNERS check will kick in.
Aha, yes! I've been mixing up OWNERS vs DEPS noparent semantics!I agree, and I'll work on updating checkdeps to handle:
- We'd need to ensure that when a new include is added on bar/baz, bar/ being in DEPS of the dir with the include doesn't satisfy checkdeps.
I think the existing OWNERS noparent should be sufficient to cover:
- We'd need to ensure that when bar/baz is added to a DEPS entry, a +1 from an OWNER of bar/ doesn't satisfy the code review requirements (this is why I was thinking about "noparent" in OWNERS files, but the rule can be standalone regardless of whether "noparent" is in bar/baz/OWNERS).
On Wed, Oct 16, 2024 at 6:50 PM Andrew Grieve <agr...@chromium.org> wrote:Aha, yes! I've been mixing up OWNERS vs DEPS noparent semantics!I agree, and I'll work on updating checkdeps to handle:
- We'd need to ensure that when a new include is added on bar/baz, bar/ being in DEPS of the dir with the include doesn't satisfy checkdeps.
👍I think the existing OWNERS noparent should be sufficient to cover:
- We'd need to ensure that when bar/baz is added to a DEPS entry, a +1 from an OWNER of bar/ doesn't satisfy the code review requirements (this is why I was thinking about "noparent" in OWNERS files, but the rule can be standalone regardless of whether "noparent" is in bar/baz/OWNERS).
Do you know whether we could verify this on the test CL without actually trying to land it? I've only seen these "need +1 from OWNER of directory added in DEPS" check kick in when CQ+2'ing a CL.
On Thu, Oct 17, 2024 at 4:58 AM Colin Blundell <blun...@chromium.org> wrote:On Wed, Oct 16, 2024 at 6:50 PM Andrew Grieve <agr...@chromium.org> wrote:Aha, yes! I've been mixing up OWNERS vs DEPS noparent semantics!I agree, and I'll work on updating checkdeps to handle:
- We'd need to ensure that when a new include is added on bar/baz, bar/ being in DEPS of the dir with the include doesn't satisfy checkdeps.
👍I think the existing OWNERS noparent should be sufficient to cover:
- We'd need to ensure that when bar/baz is added to a DEPS entry, a +1 from an OWNER of bar/ doesn't satisfy the code review requirements (this is why I was thinking about "noparent" in OWNERS files, but the rule can be standalone regardless of whether "noparent" is in bar/baz/OWNERS).
Do you know whether we could verify this on the test CL without actually trying to land it? I've only seen these "need +1 from OWNER of directory added in DEPS" check kick in when CQ+2'ing a CL.This part is just the existing OWNERS noparent logic, so I think can be relied upon?
I think without a "noparent=True" in the OWNERS, it should be fine for a parent OWNER to +1 a CL even in the presence of a child's new_usages_require_review=True.
This has now landed.To recap:1) You no longer need OWNERS approval from the directory that you are adding via "+allow/this/thing", unless "//allow/this/thing" or an ancestor contains "new_usages_require_review=True" in their DEPS2) If "foo/bar/DEPS" contains "new_usages_require_review=True", a DEPS entry of "+foo" will not permit #includes to "foo/bar". You'd need to additionally add "+foo/bar".
On Fri, Nov 29, 2024 at 4:22 PM Andrew Grieve <agr...@chromium.org> wrote:This has now landed.To recap:1) You no longer need OWNERS approval from the directory that you are adding via "+allow/this/thing", unless "//allow/this/thing" or an ancestor contains "new_usages_require_review=True" in their DEPS2) If "foo/bar/DEPS" contains "new_usages_require_review=True", a DEPS entry of "+foo" will not permit #includes to "foo/bar". You'd need to additionally add "+foo/bar".Great, thanks! I think that this is a good balance between developer productivity and long-term architectural robustness.
On Mon, Dec 2, 2024 at 2:47 PM Colin Blundell <blun...@chromium.org> wrote:On Fri, Nov 29, 2024 at 4:22 PM Andrew Grieve <agr...@chromium.org> wrote:This has now landed.To recap:1) You no longer need OWNERS approval from the directory that you are adding via "+allow/this/thing", unless "//allow/this/thing" or an ancestor contains "new_usages_require_review=True" in their DEPS2) If "foo/bar/DEPS" contains "new_usages_require_review=True", a DEPS entry of "+foo" will not permit #includes to "foo/bar". You'd need to additionally add "+foo/bar".Great, thanks! I think that this is a good balance between developer productivity and long-term architectural robustness.A followup question: Did you verify/add logic to enforce that "when foo/bar is added to a DEPS entry, a +1 from an OWNER of foo/ doesn't satisfy the code review requirements"? It's not obvious to me that that condition would a priori be enforced by current OWNERS checks, but it seems important to fully enforce the semantics of this tag.
On Mon, Dec 2, 2024 at 8:52 AM Colin Blundell <blun...@chromium.org> wrote:On Mon, Dec 2, 2024 at 2:47 PM Colin Blundell <blun...@chromium.org> wrote:On Fri, Nov 29, 2024 at 4:22 PM Andrew Grieve <agr...@chromium.org> wrote:This has now landed.To recap:1) You no longer need OWNERS approval from the directory that you are adding via "+allow/this/thing", unless "//allow/this/thing" or an ancestor contains "new_usages_require_review=True" in their DEPS2) If "foo/bar/DEPS" contains "new_usages_require_review=True", a DEPS entry of "+foo" will not permit #includes to "foo/bar". You'd need to additionally add "+foo/bar".Great, thanks! I think that this is a good balance between developer productivity and long-term architectural robustness.A followup question: Did you verify/add logic to enforce that "when foo/bar is added to a DEPS entry, a +1 from an OWNER of foo/ doesn't satisfy the code review requirements"? It's not obvious to me that that condition would a priori be enforced by current OWNERS checks, but it seems important to fully enforce the semantics of this tag.I verified that if you add an entry for "+foo/bar", then an approval from a "foo" owner is not sufficient so long as foo/bar/OWNERS has noparent=True.
On Mon, Dec 2, 2024 at 3:59 PM Andrew Grieve <agr...@chromium.org> wrote:On Mon, Dec 2, 2024 at 8:52 AM Colin Blundell <blun...@chromium.org> wrote:On Mon, Dec 2, 2024 at 2:47 PM Colin Blundell <blun...@chromium.org> wrote:On Fri, Nov 29, 2024 at 4:22 PM Andrew Grieve <agr...@chromium.org> wrote:This has now landed.To recap:1) You no longer need OWNERS approval from the directory that you are adding via "+allow/this/thing", unless "//allow/this/thing" or an ancestor contains "new_usages_require_review=True" in their DEPS2) If "foo/bar/DEPS" contains "new_usages_require_review=True", a DEPS entry of "+foo" will not permit #includes to "foo/bar". You'd need to additionally add "+foo/bar".Great, thanks! I think that this is a good balance between developer productivity and long-term architectural robustness.A followup question: Did you verify/add logic to enforce that "when foo/bar is added to a DEPS entry, a +1 from an OWNER of foo/ doesn't satisfy the code review requirements"? It's not obvious to me that that condition would a priori be enforced by current OWNERS checks, but it seems important to fully enforce the semantics of this tag.I verified that if you add an entry for "+foo/bar", then an approval from a "foo" owner is not sufficient so long as foo/bar/OWNERS has noparent=True.That's definitely good - thanks!It brings us back to a question I had earlier in this thread though - Wouldn't someone adding "new_usages_require_review" always have in mind "by the folks that own this directory" rather than "by anyone in the tree leading up to this directory"? i.e., why should we require that they also add "noparent" in the OWNERS file to get that semantics? Maybe they don't want "noparent" in the OWNERS file for whatever reason, or they just don't think of the fact that the two would need to be linked to achieve the full semantics.I could see arguing that it does make sense to link them, but I think that if we go that way we should surface that point in a presubmit message so folks are aware.
On Mon, Dec 2, 2024 at 11:13 AM Colin Blundell <blun...@chromium.org> wrote:On Mon, Dec 2, 2024 at 3:59 PM Andrew Grieve <agr...@chromium.org> wrote:On Mon, Dec 2, 2024 at 8:52 AM Colin Blundell <blun...@chromium.org> wrote:On Mon, Dec 2, 2024 at 2:47 PM Colin Blundell <blun...@chromium.org> wrote:On Fri, Nov 29, 2024 at 4:22 PM Andrew Grieve <agr...@chromium.org> wrote:This has now landed.To recap:1) You no longer need OWNERS approval from the directory that you are adding via "+allow/this/thing", unless "//allow/this/thing" or an ancestor contains "new_usages_require_review=True" in their DEPS2) If "foo/bar/DEPS" contains "new_usages_require_review=True", a DEPS entry of "+foo" will not permit #includes to "foo/bar". You'd need to additionally add "+foo/bar".Great, thanks! I think that this is a good balance between developer productivity and long-term architectural robustness.A followup question: Did you verify/add logic to enforce that "when foo/bar is added to a DEPS entry, a +1 from an OWNER of foo/ doesn't satisfy the code review requirements"? It's not obvious to me that that condition would a priori be enforced by current OWNERS checks, but it seems important to fully enforce the semantics of this tag.I verified that if you add an entry for "+foo/bar", then an approval from a "foo" owner is not sufficient so long as foo/bar/OWNERS has noparent=True.That's definitely good - thanks!It brings us back to a question I had earlier in this thread though - Wouldn't someone adding "new_usages_require_review" always have in mind "by the folks that own this directory" rather than "by anyone in the tree leading up to this directory"? i.e., why should we require that they also add "noparent" in the OWNERS file to get that semantics? Maybe they don't want "noparent" in the OWNERS file for whatever reason, or they just don't think of the fact that the two would need to be linked to achieve the full semantics.I could see arguing that it does make sense to link them, but I think that if we go that way we should surface that point in a presubmit message so folks are aware.IMO the current state makes the most sense.
- "new_usages_require_review=True" ==> "A reviewer of this directory is required"
- Without noparent=True in the OWNERS, then any ancestor review is "a reviewer of this directory".
- I don't think an implicit "noparent=True" would make sense, because it would mean the algorithm for choosing an OWNER is different from the one used by normal file modifications.
On Mon, Dec 2, 2024 at 5:27 PM Andrew Grieve <agr...@chromium.org> wrote:On Mon, Dec 2, 2024 at 11:13 AM Colin Blundell <blun...@chromium.org> wrote:On Mon, Dec 2, 2024 at 3:59 PM Andrew Grieve <agr...@chromium.org> wrote:On Mon, Dec 2, 2024 at 8:52 AM Colin Blundell <blun...@chromium.org> wrote:On Mon, Dec 2, 2024 at 2:47 PM Colin Blundell <blun...@chromium.org> wrote:On Fri, Nov 29, 2024 at 4:22 PM Andrew Grieve <agr...@chromium.org> wrote:This has now landed.To recap:1) You no longer need OWNERS approval from the directory that you are adding via "+allow/this/thing", unless "//allow/this/thing" or an ancestor contains "new_usages_require_review=True" in their DEPS2) If "foo/bar/DEPS" contains "new_usages_require_review=True", a DEPS entry of "+foo" will not permit #includes to "foo/bar". You'd need to additionally add "+foo/bar".Great, thanks! I think that this is a good balance between developer productivity and long-term architectural robustness.A followup question: Did you verify/add logic to enforce that "when foo/bar is added to a DEPS entry, a +1 from an OWNER of foo/ doesn't satisfy the code review requirements"? It's not obvious to me that that condition would a priori be enforced by current OWNERS checks, but it seems important to fully enforce the semantics of this tag.I verified that if you add an entry for "+foo/bar", then an approval from a "foo" owner is not sufficient so long as foo/bar/OWNERS has noparent=True.That's definitely good - thanks!It brings us back to a question I had earlier in this thread though - Wouldn't someone adding "new_usages_require_review" always have in mind "by the folks that own this directory" rather than "by anyone in the tree leading up to this directory"? i.e., why should we require that they also add "noparent" in the OWNERS file to get that semantics? Maybe they don't want "noparent" in the OWNERS file for whatever reason, or they just don't think of the fact that the two would need to be linked to achieve the full semantics.I could see arguing that it does make sense to link them, but I think that if we go that way we should surface that point in a presubmit message so folks are aware.IMO the current state makes the most sense.
- "new_usages_require_review=True" ==> "A reviewer of this directory is required"
- Without noparent=True in the OWNERS, then any ancestor review is "a reviewer of this directory".
- I don't think an implicit "noparent=True" would make sense, because it would mean the algorithm for choosing an OWNER is different from the one used by normal file modifications.
Oops, my "does" was meant to be "doesn't" in my last sentence above :P. i.e., I agree that it could make sense not to link them because linking them is indeed a bit of "spooky action at a distance", but I then strongly suggest that we add a presubmit message for the case when folks are adding "new_usages_require_review" without "noparent" being present in the OWNERS file to make sure that they're aware of the fact that without "noparent" being present in the OWNERS file they're not guaranteed that new usages will go for review to them. e.g., as a //chrome OWNER I get reviews for "blundell@ for this and that random bit of //chrome on this CL" all the time - on such CLs, my review would also implicitly cover any DEPS additions that fall into this case, whereas surely that wouldn't be the intent of the person adding this flag.Does that make sense?
There are now only a handful of new_usages_require_review=True directories, and it's not necessarily the case that ancestor OWNERS are not desirable for them. I don't think the concern is sufficiently common or severe to merit a presubmit check.