<div dir="ltr">Josh, <div><br></div><div>Yep let's just make experiment in Rally and I will share experience with the rest of community. </div><div><br></div><div>Best regards,</div><div>Boris Pavlovic </div></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Jun 3, 2015 at 9:45 PM, Joshua Harlow <span dir="ltr"><<a href="mailto:harlowja@outlook.com" target="_blank">harlowja@outlook.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Soooo, just some thoughts,<br>
<br>
If boris thinks this might help rally, why not just let him try it?<br>
<br>
If boris (and friends) will make the needed changes to jenkins or other to have whatever ACL format (avoid a turing complete language please) that says who can work in what directories in the rally repo then meh, why is this such a big deal? If it ends up not working out, oh well, if it ends up being a trust issue in the end, oh well, live and learn right?<br>
<br>
IMHO let boris try it, if it works out as a model for rally, more power to him, if it doesn't, well that's how people learn, and it can then be something that didn't work for rally. Everyone will move on, people will have learned what didn't work, and life will go on...<br>
<br>
It starts to feel that we have each a different model that we know and may not want to just let another model (that may or may not work well for rally) in. If we lived like that we'd probably all still be on horses and still think the world is flat and that the universe revolves around the earth.<br>
<br>
-Josh<br>
<br>
Boris Pavlovic wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">
James B.<br>
<br>
One more time.<br>
Everybody makes mistakes and it's perfectly OK.<br>
I don't want to punish anybody and my goal is to make system<br>
that catch most of them (human mistakes) no matter how it is complicated.<br>
<br>
Best regards,<br>
Boris Pavlovic<br>
<br>
<br>
On Wed, Jun 3, 2015 at 5:33 PM, James Bottomley<br>
<<a href="mailto:James.Bottomley@hansenpartnership.com" target="_blank">James.Bottomley@hansenpartnership.com</a><br></span><div><div class="h5">
<mailto:<a href="mailto:James.Bottomley@hansenpartnership.com" target="_blank">James.Bottomley@hansenpartnership.com</a>>> wrote:<br>
<br>
On Wed, 2015-06-03 at 09:29 +0300, Boris Pavlovic wrote:<br>
> *- Why not just trust people*<br>
><br>
> People get tired and make mistakes (very often).<br>
> That's why we have blocking CI system that checks patches,<br>
> That's why we have rule 2 cores / review (sometimes even 3,4,5...)...<br>
><br>
> In ideal work Lieutenants model will work out of the box. In real<br>
life all<br>
> checks like:<br>
> person X today has permission to do Y operation should be checked<br>
> automatically.<br>
><br>
> This is exactly what I am proposing.<br>
<br>
This is completely antithetical to the open source model. You have to<br>
trust people, that's why the project has hierarchies filled with more<br>
trusted people. Do we trust people never to make mistakes? Of course<br>
not; everyone's human, that's why there are cross checks. It's simply<br>
not possible to design a system where all the possible human mistakes<br>
are eliminated by rules (well, it's not possible to imagine: brave new<br>
world and 1984 try looking at something like this, but it's impossible<br>
to build currently in practise).<br>
<br>
So, before we build complex checking systems, the correct question to<br>
ask is: what's the worst that could happen if we didn't? In this case,<br>
two or more of your lieutenants accidentally approve a patch not in<br>
their area and no-one spots it before it gets into the build.<br>
Presumably, even though it's not supposed to be their areas, they<br>
reviewed the patch and found it OK. Assuming the build isn't broken,<br>
everything proceeds as normal. Even if there was some subtle bug in the<br>
code that perhaps some more experienced person would spot, eventually it<br>
gets found and fixed.<br>
<br>
You see the point? This is roughly equivalent to what would happen<br>
today if a core made a mistake in a review ... it's a normal consequence<br>
we expect to handle. If it happened deliberately then the bad<br>
Lieutenant eventually gets found and ejected (in the same way a bad core<br>
would). The bottom line is there's no point building a complex<br>
permission system when it wouldn't really improve anything and it would<br>
get in the way of flexibility.<br>
<br>
James<br>
<br>
<br>
<br></div></div><span class="">
__________________________________________________________________________<br>
OpenStack Development Mailing List (not for usage questions)<br>
Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
</span></blockquote><div class="HOEnZb"><div class="h5">
<br>
__________________________________________________________________________<br>
OpenStack Development Mailing List (not for usage questions)<br>
Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
</div></div></blockquote></div><br></div>