Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Require two reviewers for complex or risky code changes #5996

Closed
teor2345 opened this issue Jan 18, 2023 · 3 comments · Fixed by #7158
Closed

Require two reviewers for complex or risky code changes #5996

teor2345 opened this issue Jan 18, 2023 · 3 comments · Fixed by #7158
Assignees
@teor2345
Labels
A-devops Area: Pipelines, CI/CD and Dockerfiles C-enhancement Category: This is an improvement S-needs-triage Status: A bug report needs triage

Comments

@teor2345
Copy link
Contributor

Motivation

We'd like to require two reviewers for complex or risky code changes.

We could do that by adding a new Mergify workflow at the top of the workflow list for these labels:

  • A-compatibility
  • A-concurrency
  • A-consensus
  • I-consensus
  • C-security
  • I-crash
  • I-destructive
  • I-hang
  • I-privacy
  • I-unbounded-growth
  • I-unsound

We'd also like two reviewers for unsafe code, we could:

  1. auto-label PRs that change the paths for unsafe reviewers with a new A-unsafe label
  2. Add that label to the Mergify list

Testing

We'll see if it works for the first consensus or compatibility PR.
@teor2345 teor2345 added A-devops Area: Pipelines, CI/CD and Dockerfiles C-enhancement Category: This is an improvement S-needs-triage Status: A bug report needs triage P-Medium ⚡ labels Jan 18, 2023
@str4d
Copy link
Contributor

str4d commented Jan 18, 2023

For reference, here is the review policy we use for zcashd, which is designed around "levels of bug impact":

  • PRs from ECC engineers that solely involve documentation or ancillary changes may be merged by the author without additional review. Equivalent PRs from community members may be reviewed and merged by a single ECC engineer.
    • A bug here can affect new users who aren’t familiar with Zcash, or people using ancillary non-zcashd tools.
  • PRs that touch the build system or general codebase require at least one code review. Either the author or reviewer may at their discretion block the PR on additional review; this will be stated explicitly in the PR comments.
    • A bug here can affect users that rely on zcashd for viewing the Zcash chain, or people who build zcashd. A DoS or crash-inducing bug could affect all zcashd users.
  • PRs that touch parts of the codebase which risk user funds (e.g. wallet serialization, transaction creation, bad key generation or storage, parsers) or user privacy (e.g. side channels) require at least two code reviews. At least one of them needs to be from an ECC engineer; if it’s a cryptography change, at least two of them need to be from ECC engineers.
    • A bug here can affect any user that relies on zcashd for managing their funds.
  • PRs that alter the consensus rules (or that perform significant refactoring of consensus code whether or not they are intended to alter the rules) require at least three code reviews; at least two of them need to be from ECC engineers. Just the two reviews from ECC engineers are sufficient if the change is a backport from Bitcoin Core-maintained code.
    • A bug here can affect the entire Zcash ecosystem.

@teor2345 teor2345 mentioned this issue Jan 18, 2023
Closed
@mpguerra mpguerra moved this to 🛑 Won't Fix in Zebra Jan 19, 2023
@mpguerra mpguerra added this to Zebra Jan 19, 2023
@mpguerra mpguerra moved this from 🛑 Won't Fix to 🆕 New in Zebra Jan 19, 2023
@mpguerra
Copy link
Contributor

Hey team! Please add your planning poker estimate with Zenhub @arya2 @conradoplg @dconnolly @oxarbitrage @teor2345 @upbqdn

@mpguerra
Copy link
Contributor

Please add your planning poker estimate with Zenhub @gustavovalverde

@teor2345 teor2345 mentioned this issue Apr 26, 2023
Closed
@teor2345 teor2345 self-assigned this Jul 5, 2023
@teor2345 teor2345 mentioned this issue Jul 5, 2023
Merged
4 tasks
@github-project-automation github-project-automation bot moved this from 🆕 New to ✅ Done in Zebra Jul 10, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@teor2345 teor2345

Labels
A-devops Area: Pipelines, CI/CD and Dockerfiles C-enhancement Category: This is an improvement S-needs-triage Status: A bug report needs triage
Projects
Zebra
Archived in project
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

change(merge): Require 2 reviews for PRs with an extra-reviews label ZcashFoundation/zebra
3 participants
@mpguerra @str4d @teor2345