Move soot to another Github organization #1305
Comments
If we go with "secure-software-engineering", we might eventually run into the same problem, i.e., we will not have the possibility to manage fine-grained access control. It might make sense to have a clear separation here.
What currently comes to my mind:
Regarding the wiki urls, I do not know how many are affected. I guess this would be the biggest task of the three. Are you planning to also change the package naming of soot? This would break compatibility with existing clients. Additionally, we would also have to register the new group id at Sonatype got to get access rights for pushing to Maven Central. I'm not against it per se, though. I'll think a bit more if I missed some things... |
I agree. So let's create a Soot organization then.
That should be easy.
One question in this context: might it make sense to migrate the jenkins setup to Github actions and build things there? From what I understand, this would simplify access control to the build.
I guess this can be handled by editing the Wiki files offline using sed or so.
We should probably do that for the next major release. |
That indeed might be a good idea. We would not rely on our own infrastructure anymore since ci is directly in GitHub and artifacts are deployed to maven central. The drawback here is that we will have to invest a bit more time to get everything working with the GitHub actions system.
Good point.
What's your preferred package/group id? They do not necessarily have to match but it's advisable to be consistent here. |
I think we should do it, given that we'd need to update things anyway.
I can take care of this if you like. I would patch this in a separate branch for now.
We could also try to get a new, separate domain such as soot.org. I can look into this. |
|
Looping in @StevenArzt |
Agreed. I'll do that as soon as I find a bit of time for it. Maybe we should do this before moving the project so that everything works without disruptions (assuming the actions will be moved with the repository).
Nice, thanks!
That would be great! |
|
I agree that we should have a distinct organization for Soot on Github. Linking a large open-source project to an individual organization always leads to hassle when people move between organizations, or when organization add new stakeholders, that suddely end up having access to repositories for which they shouldn't. I would also recommend registering a proper domain for Soot, such as |
|
It seems we are in agreement - great! The github organization "soot" is already taken, so I have registered "soot-oss" instead. I will invite you as owners and then we can add other later once the project has been set up. |
|
Regarding domains I saw that most soot.* domains are already taken, but there is now also a TLD named "oss", so maybe soot.oss would actually be sensible? |
|
I have updated the Wiki pages, see: #1310
Does that sound good to you? |
|
Ping |
|
The plan sounds good. I'm currently busy with patching FlowDroid, though. |
Sure.
I could do that. Since I am currently a bit short on time due to a rollout for a customer, this might have to wait a few days. Otherwise, maybe someone from the research group has interest in contributing to Soot. Btw. we also need to change the place where we publish the javadocs and options if we move away from our own infrastructure. We could probably publish those inside the repo itself after each build and additionally publish it as package with each release.
Sounds great! |
We need to be careful to not bloat the repository. If we end up with many builds (very likely), we might have many automatic commits that increase the size of the repository. Can't we handle the Javadoc like an artifact and host it on some Nexus / whatever repository? |
|
I see your point, I also thought about that. A jar containing the javadoc will be published to Maven central. However, neither the docs nor the options will be directly browsable this way. |
|
I can see your point if you don't want to host anything anymore. The large OSS projects have some central hosting facility, though - think of Eclipse or Apache. For smaller projects, I'm not sure how they handle that. |
|
I've been looking at a bunch of projects for some research that I've been
doing. Many projects these days seem to tag releases on GitHub and call it
a day. (You can then download the tagged releases automatically).
…On Thu, Mar 12, 2020, 6:49 AM Steven Arzt ***@***.***> wrote:
I can see your point if you don't want to host anything anymore. The large
OSS projects have some central hosting facility, though - think of Eclipse
or Apache. For smaller projects, I'm not sure how they handle that.
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#1305 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAOKE5TCSPIUA32E6QGS22DRG7FJHANCNFSM4K72VUPA>
.
|
@patricklam I am not sure I understand. How would that help with getting a browsable documentation? From what I understood the concern is that the generated docs are large and we do not want to store them in the repo for every build. We could push the docs to some website. If we register a domain for Soot then we can just as well push the content there. gh-pages seems unsuitable to me because it itself is versioned and thus would still cause a blowup. After all it's just another branch in the same repo. |
Thanks Manuel. Some jobs certainly could and should be taken on by others but I am not sure the build system is the right job for people who are not too familiar with the same already. I would not trust too many people with this :-) |
We can do this or go with our current solution of self-hosting and maybe point the new domain to our servers depending on if we get some webspace with the domain.
Well, thank you, I guess. :) |
|
Update from my side: I have asked our admin to see if we can reserve the domain soot-oss.org. The domain soot.oss would be nicer but has already been bought by domain grabbers, as have all other soot.* domains. I really fail to see why this is still legal but apparently it is... |
|
I've set up an initial GitHub actions file which runs build, test, style- and license checks: https://github.com/Sable/soot/blob/develop/.github/workflows/ci.yml The deploy part is still missing but shouldn't be too much hassle. I got to say, that I start liking the GitHub actions dsl. It's easier to write and read than the Jenkins one... On a side note, we will have to adapt Heros, AXML, and Jasmin (if we want to keep it) as well. We will be able to copy-paste most of the build file, however. |
|
Sounds great @mbenz89. How do you suggest we proceed then? |
|
I planned some time to implement that last part tomorrow evening and copy it over to the other repositories. We will still use our build servers for research group project and for hosting the options/jdoc of Soot. We will neither host nor build official Soot components on that infrastructure anymore. When the actions pipeline is ready, we can move Soot to the new organization and apply your wiki changes and everything should still work. Users who cloned or forked Soot outside of Github will have problems with an unreachable remote. We cannot do much against that, however. I think we should be fine otherwise. |
|
Update from my side: I implemented the deploy step for GitHub actions. I'm still having some problems deploying the JavaDoc and Options to our server due to authentication issues with the Jenkins user on our build machine. I'll contact our admin to help with that. Until then I'll disable the deplyoment of the documentation. I've already disabled the use of our own infrastructure and updated the READMEs accordingly. If we want to move Soot before having a working deployment for that documentation, we are good to go. I still got to implement actions for the other repositories before we move them, though. |
|
Thanks @mbenz89! Did you get anywhere with the JavaDoc and Options? Also, which "other repositories" do you mean? heros and jasmin? I think it would make most sense to move them all together... |
|
On another note, I have now reserved soot-oss.org. @mbenz89 what do we have to do to prove ownership for the maven ID? |
Due to my absence during the last week, I've not made progress here. Our admin is notified, however, and I expect this to be resolved in the next days
Exactly. Inclusive our axml fork.
We will have to make a ticket in their issue tracker requesting an ID. I can do that since I already did this for our current ID, or you can do it if you like to. We will have to testify that we own the ID afterward by sending a mail from the domain or setting a specific DNS entry. The whole procedure usually just takes 2-3 days. Our new group id would then be |
Correct, thanks! |
|
@mbenz89 any progress on this? BTW should we send an announcement to the Soot list to give people some heads-up? |
|
@ericbodden There is some progress. Our Admin has just created a new server to which a special user should have upload rights. For the Documentation deployment, I have to set up a webserver there that serves the documentation and modify the upload procedure a bit to get this working. Missing:
I'll probably not be able to do this before next Weekend.
That shouldn't hurt I guess :). |
|
To testify that we own the domain, we have to do one of the following:
@ericbodden Could you do that? |
Done! (through DNS record) |
Okay I will do this right now. |
|
Update:
|
|
Since the DNS did not work, I now set up a redirect to: https://github.com/Sable/soot |
|
Thanks, Eric! Could you please change the redirection to |
|
@mbenz89 the group ID was now approved. Are we still missing anything else to conduct the change? |
|
No, I don't think so. I just did not find the time to conduct the missing changes this weekend. I might give it another try next weekend. We still need to:
I guess we change the group id of soot as soon as we move the repo to the new organization. Should I adapt the package names as well for consistency reasons? Keeping the packages as is would not require any client changes. It might be a bit misleading still... |
|
Hi @mbenz89. I don't want to bother you but nonetheless I was wondering whether you were able to make some progress on this. |
|
Hi @ericbodden. Unfortunately only very little. I'm still having problems accessing the new build server swt-build to which we want to deploy the documentation. I'm in contact with our admin regarding the issue. I'll give it another try when I got proper access. |
|
@mbenz89 on June 15th I will be giving a SOAP-talk about Soot. It would be great if I could communicate the updated URLs by then. |
|
@ericbodden Sammy and I were able to fix the access yesterday. I'll give it another try this weekend. I guess the 15th should be doable! |
|
Update: I tried again today and it seems that the connections errors were only fixed temporarily. I need proper access to the new deployment server before I can proceed :(. |
What does proper access mean? Is there anything I can do to help? |
|
@ericbodden I just moved the repository. I'll now adapt the group id and the deployment process to work with it. |
|
We also need to change the redirection of soot-oss.org to the github pages page... |
|
Update:
Unfortunately, I cannot publish the artifact to Maven Central currently since my user does not have the correct rights set for org.soot-oss. I've contacted the support for this. Usually, they are very fast, so I expect this to be solved sometime on Monday. I guess we should wait with an update to the mailing list until the artifact got properly deployed. However, I also think its totally fine to announce the repository movement at SOAP on Monday. I'll successively move the other repositories and migrate them to GitHub actions, as soon as the option/jdoc deployment is working properly for Soot |
Done! |
|
@mbenz89 thanks a lot for this! Would it now be save to move jasmin and heros, too? |
|
We could. I would rather like to wait with it until we have a proper deployment of the Options and Documentation and do a batch migration then. Would that work for you? Have you updated the links in the wiki? Btw. The artifact deployment to Maven Central now works properly and I've adapted the Maven coordinates in the READMEs accordingly. |
Currently Soot lives under the Sable organization. This was fine for a long time, but over the years several PhD students and even regular students have obtained owner access to the Sable organization - for good cause. The problem is that implicitly all these people have write access to Soot. Given Soot's now heavy industrial use, I think this should change. I have discussed this issue with Clark Verbrugge of the Sable lab and he recommended moving Soot to another organization. We could move it to "secure-software-engineering" or some new organization that we establish for that purpose, e.g. a separate "soot" organization. This might make sense, actually, so that we can also host Soot extensions there if we want.
Let's discuss this here, and also the steps involved to implement this change. I suppose some CI/CD setups will have to change at the minimum.
The text was updated successfully, but these errors were encountered: