Re: Security issues when running gerrit patches on jenkins
On Wed, 2012-07-18 at 13:34 -0400, Heiko W.Rupp wrote:
Am 18.07.2012 um 13:00 schrieb Robert Middleswarth:
> I need trust to be earned so I +1 on whitelist. With that said I think getting on
the whitelist should be pretty easy.
Isn't that what you usually do on projects - have the first few commits not directly
go to master but being
reviewed by an existing committer and then giving full commit access to a new user?
So I think that fits in and fits with what new committers are used to. Many of them
actually would be scared
if they got commit access from day 1.
It's not commit access that is being discussed. We're not giving that
away easily. Jenkins provides the ability to trigger builds/tests on
patch submission (just submission, not commit). A savvy attacker could
write a patch that could cause the tests to compromise the jenkins slave
machine. The whitelist being proposed is a whitelist for running the
build/test based on who submitted the patch.
Mike
Heiko
_______________________________________________
Infra mailing list
Infra(a)ovirt.org
http://lists.ovirt.org/mailman/listinfo/infra