Chenlin Fan (Gerrit)

unread,

Mar 4, 2026, 6:32:36 AMMar 4

to Vadim Shtayura, Robbie Iannucci, LUCI CQ, chromium...@chromium.org, infra-revi...@chromium.org

Attention needed from Robbie Iannucci and Vadim Shtayura

Chenlin Fan voted Commit-Queue+1

Commit-Queue

+1

Open in Gerrit

Related details

Attention is currently required from:

Robbie Iannucci
Vadim Shtayura

Submit Requirements:

Code-Owners
Code-Review
Review-Enforcement

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

unsatisfied_requirement

open

diffy

Vadim Shtayura (Gerrit)

unread,

Mar 23, 2026, 7:51:01 PM (17 hours ago) Mar 23

to Chenlin Fan, Code Review Nudger, Robbie Iannucci, LUCI CQ, chromium...@chromium.org, infra-revi...@chromium.org

Attention needed from Chenlin Fan and Robbie Iannucci

Vadim Shtayura added 2 comments

File cipd/appengine/impl/repo/repo.go

Line 678, Patchset 2 (Latest): vsaResp = &api.VerifySoftwareArtifactResponse{Allowed: true}

Vadim Shtayura . unresolved

is it too late to convert this to an enum with variants `ALLOWED, REJECTED, EXEMPTED`? (Or somehow else identify that a package was exemption for VSA).

Alternatively, can we NOT call setVerificationSummary if the package was exempted? (that the lack of verification summary will serve as a signal it was exempted).

I just this storing "Allowed: true" for packages we haven't actually verified is wrong.

Edit: looks like setVerificationSummary does nothing if `resp.VerificationSummary == ""`. I think it will be clearer if this check was done here instead.

Line 688, Patchset 2 (Latest): if !vsaResp.Allowed {

Vadim Shtayura . unresolved

we should probably log packages exempted from the check

Open in Gerrit

Related details

Attention is currently required from:

Chenlin Fan
Robbie Iannucci

Submit Requirements:

Code-Owners
Code-Review

No-Unresolved-Comments

Review-Enforcement

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

unsatisfied_requirement

open

diffy

Chenlin Fan (Gerrit)

unread,

Mar 23, 2026, 10:51:05 PM (14 hours ago) Mar 23

to Code Review Nudger, Vadim Shtayura, Robbie Iannucci, LUCI CQ, chromium...@chromium.org, infra-revi...@chromium.org

Attention needed from Robbie Iannucci and Vadim Shtayura

Chenlin Fan added 2 comments

File cipd/appengine/impl/repo/repo.go

Line 678, Patchset 2: vsaResp = &api.VerifySoftwareArtifactResponse{Allowed: true}

Vadim Shtayura . resolved

is it too late to convert this to an enum with variants `ALLOWED, REJECTED, EXEMPTED`? (Or somehow else identify that a package was exemption for VSA).
Alternatively, can we NOT call setVerificationSummary if the package was exempted? (that the lack of verification summary will serve as a signal it was exempted).
I just this storing "Allowed: true" for packages we haven't actually verified is wrong.
Edit: looks like setVerificationSummary does nothing if `resp.VerificationSummary == ""`. I think it will be clearer if this check was done here instead.

Chenlin Fan

The proto is copied from https://source.corp.google.com/piper///depot/google3/google/internal/bcid/softwareverifier/v1/software_verifier_service.proto;l=255 so we probably don't want to change its fields.

Updated to only call `setVerificationSummary` when `resp.VerificationSummary != ""`. I will keep the checks in setVerificationSummary until we remove the backfill logic.

Line 688, Patchset 2: if !vsaResp.Allowed {

Vadim Shtayura . resolved

we should probably log packages exempted from the check

Chenlin Fan

Done

Open in Gerrit

Related details

Attention is currently required from:

Robbie Iannucci
Vadim Shtayura

Submit Requirements:

Code-Owners
Code-Review

Review-Enforcement

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

unsatisfied_requirement

open

diffy

Vadim Shtayura (Gerrit)

unread,

11:25 AM (2 hours ago) 11:25 AM

to Chenlin Fan, Code Review Nudger, Robbie Iannucci, LUCI CQ, chromium...@chromium.org, infra-revi...@chromium.org

Attention needed from Chenlin Fan and Robbie Iannucci

Vadim Shtayura voted Code-Review+1

Code-Review

+1

Open in Gerrit

Related details

Attention is currently required from:

Chenlin Fan
Robbie Iannucci

Submit Requirements:

Code-Owners
Code-Review
Review-Enforcement

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

satisfied_requirement

open

diffy

Reply all

Reply to author

Forward

cipd: add ExemptFromVerifySoftwareArtifacts [infra/luci/luci-go : main]

Chenlin Fan (Gerrit)

Chenlin Fan voted Commit-Queue+1

Related details

Vadim Shtayura (Gerrit)

Vadim Shtayura added 2 comments

Related details

Chenlin Fan (Gerrit)

Chenlin Fan added 2 comments

Related details

Vadim Shtayura (Gerrit)

Vadim Shtayura voted Code-Review+1

Related details