-----BEGIN PGP SIGNED MESSAGE-----
Just testing, you can ignore.
If this works, it means we'll start seeing root's email coming to this
list, including daily logwatch reports and cronjob messages.
Karsten 'quaid' Wade, Sr. Analyst - Community Growth
http://TheOpenSourceWay.org .^\ http://community.redhat.com
@quaid (identi.ca/twitter/IRC) \v' gpg: AD0E0C41
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
-----END PGP SIGNATURE-----
Following last infra meeting, i want to open for discussion the security issues that may arise if we allow Jenkins
to run jobs (i.e any code) with every gerrit patch.
In theory, any user that is registered to gerrit might send a patch to any ovirt project.
That code might contain malicious code, malware, harmfull or just not-related ovirt code that he wants to use our resources for it.
Even though we use limited sudo on hosts, we can't be sure an exploit will be used against one of the jenkins slaves.
The proposed solutions:
- black-listing authors (published on ovirt.org?)
- white-listing authors (published on ovirt.org?)
- auto approve patch via comparing to lastest commits
- check if author recent patches were approved in the past?
adding dan since he raised this issue when we wanted to add vdsm gerrit tests.