|
| 1 | +# How to decide whether to rebase or backport |
| 2 | + |
| 3 | +## Rules |
| 4 | + |
| 5 | +There are no hard rules, but the general consensus is that a rebase means a higher chance of ABI breakage, |
| 6 | +and the majority of packages in RHEL have ACG level 2, meaning they have to maintain ABI compatibility |
| 7 | +for the entire lifecycle of a major RHEL release, thus rebasing is discouraged. |
| 8 | + |
| 9 | +## What can be automated |
| 10 | + |
| 11 | +Final decision is always on the maintainer, the automation could: |
| 12 | + |
| 13 | +- check past issues to see if the package is usually rebased, if the fixes are usually backported, |
| 14 | + or a combination of both, and suggest a way to proceed based on that |
| 15 | +- read ACG level of a package for a given RHEL release from https://gitlab.cee.redhat.com/rcm/lifecycle-defs |
| 16 | + - ACG level 4 or unset means high probability that a rebase would be allowed (even if there are ABI changes) |
| 17 | +- perform the rebase anyway, do a scratch build and provide results of abidiff check |
| 18 | + and output of reverse dependency tests |
| 19 | + |
| 20 | +The automation could also cite or link the RHEL Development Guide: |
| 21 | +https://one.redhat.com/rhel-development-guide/#_rebase_considerations |
| 22 | + |
| 23 | +## A way to indicate how to proceed |
| 24 | + |
| 25 | +There is a `Rebase` keyword in Jira that should be used for rebases, though I have found issues |
| 26 | +that were resolved with a rebase but without said keyword. Either way, it could be used as a clear indication |
| 27 | +that the maintainer has decided to proceed with a rebase. |
| 28 | + |
| 29 | +## Alternative approach |
| 30 | + |
| 31 | +The automation could do both rebasing and backporting as separate tasks and provide feedback for the maintainer to decide. |
| 32 | + |
| 33 | +## Maintainer feedback |
| 34 | + |
| 35 | +Rebasing is rare, because there is a high level of uncerntainty and a risk of changed behavior |
| 36 | +not covered with tests and hard to spot by a human but relied on by customers. Typically rebasing is only done in Fedora |
| 37 | +to cover the next major version of RHEL and during RHEL lifetime fixes are only backported. |
| 38 | + |
| 39 | +It is unusual for a component to have a good (if any) upstream test suite. Often there are only regression tests |
| 40 | +that have been written for RHEL over the time. This is again a factor that speaks against rebasing. |
| 41 | + |
| 42 | +Usually only teams/maintainers that are upstream for their components do rebases. |
| 43 | + |
| 44 | +### Human requirements |
| 45 | + |
| 46 | +#### Can AI decide the type of resolution? |
| 47 | + |
| 48 | +Yes, but we would need to define criteria for a risk-free rebase. This would involve e.g.: |
| 49 | + |
| 50 | +- there are no ABI changes |
| 51 | +- the amount of changed code is under risk threshold (needs to be defined) |
| 52 | +- there is a changelog that guarantees there are only bugfixes and no new features |
| 53 | + (as they would have to become supported) |
| 54 | +- new release is trusted/verifiable (to prevent supply chain attacks) |
| 55 | + |
| 56 | +#### Is a feedback from human vital/required? |
| 57 | + |
| 58 | +Not required if the rebase is deemed risk-free. |
| 59 | + |
| 60 | +#### What is the type of information we want from the real human? |
| 61 | + |
| 62 | +Version to rebase to, but that's usually specified or inferable from e.g. CVE description |
| 63 | +(`xterm before version 370 is vulnerable to buffer overflow`). |
| 64 | + |
| 65 | +#### Would it be welcomed to collect data for human to decide? |
| 66 | + |
| 67 | +Yes. |
0 commit comments