Re: Security issues when running gerrit patches on jenkins
On Wed, Jul 18, 2012 at 07:05:16AM -0400, Eyal Edri wrote:
Hi,
Following last infra meeting, i want to open for discussion the security issues that may
arise if we allow Jenkins
to run jobs (i.e any code) with every gerrit patch.
The problem:
In theory, any user that is registered to gerrit might send a patch to any ovirt
project.
That code might contain malicious code, malware, harmfull or just not-related ovirt code
that he wants to use our resources for it.
Even though we use limited sudo on hosts, we can't be sure an exploit will be used
against one of the jenkins slaves.
The proposed solutions:
- black-listing authors (published on ovirt.org?)
- white-listing authors (published on ovirt.org?)
- auto approve patch via comparing to lastest commits
- check if author recent patches were approved in the past?
adding dan since he raised this issue when we wanted to add vdsm gerrit tests.
In my opinion, we can trust anyone who has already contributed code to
the relevant project. We can even say: someone who contributed more than
3 commits over a month ago.
However, no trust should be perpetual (passwords get lost, laptops are
lost, people go crazy..) so I suggest to have a blacklist of people we
no longer trust. It would be easier to maintain such a list as a
(locked) wiki page, so peole can see that they are unrusted, and can
apeal ("I'm sane today, lemme run stuff on your slaves!").
Note that I don't expect this blacklist to be used in the near future,
but when we'd need it, we'd need it fast. So we'd better prepare ahead
of time.
Regards,
Dan.