Research rebase vs. backport decision #226
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,67 @@ | ||
| # How to decide whether to rebase or backport | ||
|
|
||
| ## Rules | ||
|
|
||
| There are no hard rules, but the general consensus is that a rebase means a higher chance of ABI breakage, | ||
| and the majority of packages in RHEL have ACG level 2, meaning they have to maintain ABI compatibility | ||
| for the entire lifecycle of a major RHEL release, thus rebasing is discouraged. | ||
|
|
||
| ## What can be automated | ||
|
|
||
| Final decision is always on the maintainer, the automation could: | ||
|
|
||
| - check past issues to see if the package is usually rebased, if the fixes are usually backported, | ||
| or a combination of both, and suggest a way to proceed based on that | ||
| - read ACG level of a package for a given RHEL release from https://gitlab.cee.redhat.com/rcm/lifecycle-defs | ||
| - ACG level 4 or unset means high probability that a rebase would be allowed (even if there are ABI changes) | ||
| - perform the rebase anyway, do a scratch build and provide results of abidiff check | ||
| and output of reverse dependency tests | ||
|
Comment on lines
+17
to
+18
Member
There was a problem hiding this comment. in theory, we could do both and let the maintainer decide
Member
There was a problem hiding this comment. uh, you suggest this below :)
Member
There was a problem hiding this comment. do you see a value in doing some of the checks beforehand, I assume some license change check, also the ABI/API, comparing the CVEs present in both versions?
Member
Author
There was a problem hiding this comment.
You mean doing the checks on upstream sources? Sure, what would have some value, but the more downstream patches the less trustworthy it would be. |
||
|
|
||
| The automation could also cite or link the RHEL Development Guide: | ||
| https://one.redhat.com/rhel-development-guide/#_rebase_considerations | ||
|
|
||
| ## A way to indicate how to proceed | ||
|
|
||
| There is a `Rebase` keyword in Jira that should be used for rebases, though I have found issues | ||
| that were resolved with a rebase but without said keyword. Either way, it could be used as a clear indication | ||
| that the maintainer has decided to proceed with a rebase. | ||
|
|
||
| ## Alternative approach | ||
|
|
||
| The automation could do both rebasing and backporting as separate tasks and provide feedback for the maintainer to decide. | ||
|
|
||
| ## Maintainer feedback | ||
|
|
||
| Rebasing is rare, because there is a high level of uncerntainty and a risk of changed behavior | ||
| not covered with tests and hard to spot by a human but relied on by customers. Typically rebasing is only done in Fedora | ||
| to cover the next major version of RHEL and during RHEL lifetime fixes are only backported. | ||
|
|
||
| It is unusual for a component to have a good (if any) upstream test suite. Often there are only regression tests | ||
| that have been written for RHEL over the time. This is again a factor that speaks against rebasing. | ||
|
|
||
| Usually only teams/maintainers that are upstream for their components do rebases. | ||
|
|
||
| ### Human requirements | ||
|
|
||
| #### Can AI decide the type of resolution? | ||
|
|
||
| Yes, but we would need to define criteria for a risk-free rebase. This would involve e.g.: | ||
|
|
||
| - there are no ABI changes | ||
| - the amount of changed code is under risk threshold (needs to be defined) | ||
| - there is a changelog that guarantees there are only bugfixes and no new features | ||
| (as they would have to become supported) | ||
| - new release is trusted/verifiable (to prevent supply chain attacks) | ||
|
|
||
| #### Is a feedback from human vital/required? | ||
|
|
||
| Not required if the rebase is deemed risk-free. | ||
|
|
||
| #### What is the type of information we want from the real human? | ||
|
|
||
| Version to rebase to, but that's usually specified or inferable from e.g. CVE description | ||
| (`xterm before version 370 is vulnerable to buffer overflow`). | ||
|
|
||
| #### Would it be welcomed to collect data for human to decide? | ||
|
|
||
| Yes. | ||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this is an excellent point