Skip to content

Run a reproducer in a simple way#369

Open
majamassarini wants to merge 1 commit intopackit:mainfrom
majamassarini:simple-reproducer
Open

Run a reproducer in a simple way#369
majamassarini wants to merge 1 commit intopackit:mainfrom
majamassarini:simple-reproducer

Conversation

@majamassarini
Copy link
Member

No description provided.

Copy link
Contributor

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request introduces the capability to run a reproducer test via testing-farm after a package build. The changes are extensive, touching configuration, agent logic, data models, and adding new tools. While the overall approach is sound, I've identified a few critical and high-severity issues that need to be addressed. Specifically, there's a critical logic error in the backport agent's workflow that will cause it to fail, an invalid JSON example in the triage agent's prompt that could lead to parsing errors, and a potential command injection vulnerability in the new testing-farm tool. Please see the detailed comments for suggestions on how to resolve these issues.

@majamassarini majamassarini force-pushed the simple-reproducer branch 2 times, most recently from 0bdb015 to e2764c8 Compare November 24, 2025 16:34
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This makes no sense. First, URLs to built artifacts are already returned from the build_package tool, second, there could be multiple RPMs (even hundreds in some cases) - which one should the model choose? The correct answer is all of them, but that's not always possible, they could conflict with each other for example. It would be best to leave this to Testing Farm and pass a Copr build ID instead of a RPM.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why limit this only to backports?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I suggest using reproducer test case instead of reproducer, everywhere, not just here. Reproducer test case succeeds when the reproducer fails - the issue didn't manifest.

Comment on lines 261 to 269
Copy link
Member

@nforro nforro Nov 24, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should be part of the output schema - it seems it already is, so there is no reason for this to be here.

Comment on lines +37 to +41
process = await asyncio.create_subprocess_exec(
*cmd,
stdout=asyncio.subprocess.PIPE,
stderr=asyncio.subprocess.PIPE,
)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would rather send a request using aiohttp.

Copy link
Member

@nforro nforro Nov 24, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Like I said elsewhere, this is confusing. We want the reproducer to fail - if it fails, the fix worked. But only if it didn't fail before applying the fix, if it did, it's a bogus reproducer. I would use the term reproducer test case, and run it twice, first without the new build, expected to fail, and then with the new build, expected to succeed.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Isn't this line redundant? All the info is on the line above. Though I think we should come up with a convention how to reference test cases, for example, inspired by pip and similar (I think we even use something like that in packit):
https://gitlab.com/redhat/rhel/tests/expat.git@master#testcase=Security/RHEL-114639-CVE-2025-59375-expat-libexpat-in-Expat-allows

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants

Comments