Open artem-sidorenko opened 7 years ago
artem-sidorenko
commented
7 years ago I like that idea. We should just make sure that this will be an optional cross check. A failure does not mean it cannot be merged.
@chris-rock in my eyes you can always merge, even with red CI. The question is if a particular job has impact to the overall CI result (green/red). Do I miss something?
chris-rock
commented
7 years ago Its a semantics discussion... But I fully agree that we need cross checks. Maybe we need to request an reference implementation for every baseline change in future. Are you creating an issue for that?
artem-sidorenko
commented
7 years ago @chris-rock
Its a semantics discussion...
I'm not discussing, I just try to understand you view :-)
Are you creating an issue for that?
you are already commenting in the new issue :-)
chris-rock
commented
7 years ago Oh man you're so quick! From my perspective, CI tests should be green by default, otherwise we get used to red lights and we do not even see a linting issue anymore. Another option could be to mark controls stable and experimental. You activate all experimental controls with an attribute. Controls only get into stable once they have a reference implementation. This would allow us to add more features quickly, but make sure they are not breaking anything. And experimental features could get removed if no reference implementation is available within a timeframe. Of course this process needs to be documented properly.
See this discussion.
We should have a CI job here with master branch of chef-os-hardening