I was a bit worried about the word "useless" in subject :-) but the mail
sounds like we talk about quite opposite thing.
From: "Tomas Tomecek" <ttomecek(a)redhat.com>
Would that be a big of a deal if packit-service sent thousands of build
requests within a short period of time?
From time to time, some users submit several thousands of builds in short
period of time. Copr should survive, but naturally you might have to wait
some time (hours, if the packages are average) till everything is
processed for your 'packit' user.
Context: right now in our packit github app we only allow builds
triggered by "trusted" contributors. So if a person opens a PR on a
project and is not a contributor, that request is not being built - the
project maintainer needs to trigger the build manually. We received
suggestions to drop this and build all PRs no matter who contributed
Here I'd rather thing about security. RPM build is a turing-complete
process, and if anyone can run builds under your name ... potentially
go breaking builders that can be reused for other builds ... PR builds
should be at least in a separate project for each of your users.
Our main concern is that someone could create a malicious
which would get into copr or some bot would open thousands of useless
PRs, thus DoSing CI systems.
This would overload 'packit' copr account, but not whole copr. If something
dramatic happened, we'd have to eventually cancel the batch of builds.
But several thousands in queue are just known to work.
Did you already have problems with this? Would this be a concern?
Historically, but currently Fedora Copr scales pretty well. The major
concern is storage, so preferably all the projects should be removed
after some time, not stored indefinitely.
[using user-cont-team@ ML since that's our only public list]