ChanServ changed the topic of #freedesktop to: https://www.freedesktop.org infrastructure and online services || for questions about freedesktop.org projects, please see each project's contact || for discussions about specifications, please use https://gitlab.freedesktop.org/xdg or xdg@lists.freedesktop.org
progandy has quit [Ping timeout: 480 seconds]
ngcortes has quit [Remote host closed the connection]
pobrn has quit [Ping timeout: 480 seconds]
rocka has joined #freedesktop
<rocka> I've just regsitered an account on gitlab.freedesktop.org, but it refused to log me in, and says "Your account is pending approval from your GitLab administrator and hence blocked. Please contact your GitLab administrator if you think this is an error."
<rocka> is there any qualification process?
<airlied> yes due to miner bots
<rocka> oh, then what should i do?
<airlied> await bentiss or daniels to approve it I think
Consolatis_ has joined #freedesktop
Consolatis is now known as Guest2253
Consolatis_ is now known as Consolatis
Guest2253 has quit [Ping timeout: 480 seconds]
<rocka> my GitLab account was approved, thank you!
systwi has quit [Ping timeout: 480 seconds]
systwi has joined #freedesktop
ximion has quit []
Rainer_Bielefeld_away has joined #freedesktop
systwi_ has joined #freedesktop
systwi has quit [Ping timeout: 480 seconds]
jarthur has joined #freedesktop
<daniels> it happens automatically
bittin has quit [Read error: Connection reset by peer]
bittin has joined #freedesktop
systwi_ has quit [Ping timeout: 480 seconds]
progandy has joined #freedesktop
danvet has joined #freedesktop
alanc has quit [Remote host closed the connection]
alanc has joined #freedesktop
bittin has quit []
mvlad has joined #freedesktop
MajorBiscuit has joined #freedesktop
<pq> Lyude, thanks :-)
<daniels> emersion: hrm, looks like captcha fell off
<emersion> sounds like good news to me πŸ™ˆ
<daniels> haha
<daniels> good news for people who object to running weird JavaScript, bad news for our ISP getting increasingly pissed off with us about the number of people reporting subscription requests as spam
Haaninjo has joined #freedesktop
Rainer_Bielefeld_away_ has joined #freedesktop
Rainer_Bielefeld_away has quit [Ping timeout: 480 seconds]
Rainer_Bielefeld_away has joined #freedesktop
pohly has joined #freedesktop
Rainer_Bielefeld_away_ has quit [Ping timeout: 480 seconds]
MrCooper has quit [Quit: Leaving]
MrCooper has joined #freedesktop
progandy has quit [Remote host closed the connection]
progandy has joined #freedesktop
tanty has quit []
tanty has joined #freedesktop
systwi has joined #freedesktop
Major_Biscuit has joined #freedesktop
MajorBiscuit has quit [Ping timeout: 480 seconds]
pobrn has joined #freedesktop
ofourdan has quit [Remote host closed the connection]
MajorBiscuit has joined #freedesktop
Major_Biscuit has quit [Ping timeout: 480 seconds]
ximion has joined #freedesktop
Rainer_Bielefeld_away has quit [Remote host closed the connection]
Kayden has quit [Quit: -> f2f]
<hakzsam> daniels: we would like to be able to run our private Fossilize repository as part of Mesa CI (we can't share it like traces etc). IIRC you had a solution for such a thing in the past? if so, can you share your suggestion?
<hakzsam> the question is about pre-merge, if that's not possible for security reasons or so, I can understand it and we will do post-merge only
Kayden has joined #freedesktop
jkhsjdhjs has quit [Quit: Error: Leaving not permitted]
jkhsjdhjs has joined #freedesktop
<mupuf> to add to what hakzsam said: we have a threadripper (16 cores, 64 GB of RAM IIRC) at our disposal that will be able to crunch through a lot of fossils... so I would expect that this could lead to the fossils database to be a bit too large to download on every run... any thoughts on this?
<hakzsam> maybe it's possible to avoid downloading it every time by storing the HEAD sha1 of that repo somewhere?
<mupuf> and I wonder how the process of adding fossils should look like. I assume you will want a list of immutable fossils in Mesa, so that updates can be tested pre-merge
<hakzsam> "immutable fossils" ?
<mupuf> yeah, that means fossils need to be versioned. You can't reuse the same name when updating a game's fossil
<mupuf> well, another solutino to that would be to use a git repo
<mupuf> there, names don't matter
<mupuf> the point is that if a fossils run worked at instant t, it should work at any time in the future
<hakzsam> we rarely update a game's fossil
<hakzsam> I think the sha1 should be tracked somewhere and updated when we add new fossils to that private repo
<mupuf> if we were to update a local fossils folder/bucket, this could break the issue
<mupuf> agreed, that's a better way of keeping the fossils
<mupuf> as for rarely updating a game's fossils... I think we should.
<hakzsam> yeah, we should
<hakzsam> but we don't :)
ximion has quit []
<hakzsam> mupuf: maybe we should start to add it for post-merge?
<mupuf> I'd rather merge it upstream directly... but we can experiment there if needed
* mupuf is just curious about how we would deal with the access control
<mupuf> I'm sure bentiss/daniels will have a JWT-based solution... not sure how this would work with a git repo though
<bentiss> not sure what fossils are, but if you need a private repo only selected users and marge can have acceess, gitlab should already have it, no?
<hakzsam> it's a collection of vulkan pipelines for compilation testing, regression etc
<hakzsam> they are captured from games directly, this is why we can't share them
<bentiss> well, for secure data, we are storing them on a separate minio for now, like mesa traces, it's just that they are not versioned, in the way that it's not a git repo but plain dir
<mupuf> bentiss: that's what I thought, hence why I was saying we should never update a file... just create a new one
<mupuf> that being said: what if we have 10GB of fossils? We can't just be downloading it every run, can we?
<bentiss> mupuf: depends on where you run the CI
<bentiss> if it's on equinix, no problem at all
<bentiss> if not, then you probably should have a local proxy
<mupuf> ack. I guess we could experiment with that... and hope it won't take too long
<hakzsam> current repo is 515MiB btw
<mupuf> bentiss: the local proxy would just be an HTTP proxy?
<bentiss> sigh, one more guy trying to use tmate... sorry, back in 2 min
<mupuf> bentiss: good luck!
<bentiss> done, just banned the user
<mupuf> good that you have such nice monitoring
* bentiss just looks at the jobs every now and then
<bentiss> I'm really glad I blocked tmate users with that simple trick :)
<bentiss> mupuf: re local proxy, I think we have a doc somewhere, I just need to find it
* mupuf can easily add this local proxy in valve-infra
<mupuf> I can try to find the doc tomorrow, and ping you if I can't find it
<bentiss> mupuf: daniels and probably anholt should know where the doc is
<mupuf> ack, thanks!
* mupuf clocks out for today... our garden shed is not gonna build itself :s
systwi_ has joined #freedesktop
systwi has quit [Ping timeout: 480 seconds]
<daniels> so what we do have for this already is a traces-db-private repo; access to the project/repo is limited to select users
<daniels> each CI job comes with a JWT identifying the repo, user, etc; that's signed by a JWK available through a known endpoint on https://gl.fd.o so you can verify it
<daniels> we use OPA as the policy mechanism to first verify the provided JWT and then authorise each request, per https://gitlab.freedesktop.org/freedesktop/helm-gitlab-config/-/blob/master/gitlab-minio-provision/values/minio/fdo-opa/fdo-policy.rego#L153
<daniels> so the total flow is:
<daniels> * authorised user pushes new trace (and yes these are immutable - if you need to rev the trace then you create a new file, without exception)
<daniels> * CI pipeline in traces-db-private pushes new file to MinIO (authorised because the job is running from the traces-db-private repo)
<daniels> * random user tries to pull file from MinIO, rejected by policy
<daniels> * Marge in mesa/mesa tries to pull file from MinIO, accepted because marge is allowed to read those traces
<daniels> mupuf: also, paint it blue
MajorBiscuit has quit [Quit: WeeChat 3.5]
Rainer_Bielefeld_away has joined #freedesktop
pobrn has quit [Quit: Konversation terminated!]
pobrn has joined #freedesktop
progandy has quit [Ping timeout: 480 seconds]
progandy has joined #freedesktop
Seirdy has joined #freedesktop
AbleBacon has joined #freedesktop
Kayden has quit [Quit: go home]
anholt_ has joined #freedesktop
anholt has quit [Ping timeout: 480 seconds]
ds` has quit [Quit: ...]
ds` has joined #freedesktop
<mupuf> daniels: thanks for the explanation and the link to the docs!
<mupuf> can other users than marge be added to the list of accepted users? I kinda like having manual jobs available for devs to test shit during review
<mupuf> bentiss: thanks, I'll check it out tomorrow, after finishing the install of the roof tiles on this literal shed :D
<mupuf> daniels: and no, sorry, I went with a wood stain. Wanna argue over it? :D :D :D
Kayden has joined #freedesktop
<daniels> mupuf: yep, scroll up to the list :) it’s all mutable; we can have different people for different repos
pobrn has quit [Quit: Konversation terminated!]
pobrn has joined #freedesktop
pohly has quit []
ngcortes has joined #freedesktop
Rainer_Bielefeld_away has quit []
mvlad has quit [Remote host closed the connection]
danvet has quit [Ping timeout: 480 seconds]
Haaninjo has quit [Quit: Ex-Chat]
ximion has joined #freedesktop
jstein has joined #freedesktop
famfo has quit []
jstein has quit []
ngcortes has quit [Remote host closed the connection]