----- Original Message -----
From: "Robert Middleswarth"
<robert(a)middleswarth.net>
To: "Eyal Edri" <eedri(a)redhat.com>
Cc: infra(a)ovirt.org
Sent: Tuesday, July 31, 2012 8:35:25 PM
Subject: Re: Security issues when running gerrit patches on jenkins
On 07/31/2012 01:19 PM, Eyal Edri wrote:
>
> ----- Original Message -----
>> From: "Robert Middleswarth" <robert(a)middleswarth.net>
>> To: infra(a)ovirt.org
>> Sent: Tuesday, July 31, 2012 7:55:49 PM
>> Subject: Re: Security issues when running gerrit patches on
>> jenkins
>>
>> On 07/31/2012 10:37 AM, Karsten 'quaid' Wade wrote:
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>>
>>> On 07/18/2012 04:05 AM, Eyal Edri wrote:> Hi,
>>>> Following last infra meeting, i want to open for discussion the
>>>> security issues that may arise if we allow Jenkins to run jobs
>>>> (i.e
>>>> any code) with every gerrit patch.
>>>>
>>>> - white-listing authors (published on ovirt.org?) ...
>>> I think the consensus we are leaning toward is this:
>>>
>>> * Use a whitelist to identify who can have Jenkins jobs triggered
>>> when
>>> a patch hits Gerrit.
>>> * Keep the whitelist on the wiki, so it's clear who has access,
>>> and
>>> the list can be used by all Jenkins hosts.
>> I would prefer wordpress to prevent someone from just adding
>> themselves.
>>> * Current whitelist is built from current committers (from git
>>> log).
>>> ** compare the whitelist with the current GERRIT_AUTHOR or
>>> similar
>>> value.
>>>
>>> Do we want to build-in the ability to check a blacklist, too? Or
>>> just
>>> use "absence from whitelist"?
>>>
>>> For example, is there going to be a desire to have someone not be
>>> able
>>> to automatically run a test on certain parts of the code, but yes
>>> on
>>> others?
>> That isn't a black list that is an itemized white list and at this
>> stage
>> I don't see a point to it. What tests / jobs would your run diff
>> from
>> the kinda trusted list vs the completely untrusted list? It not
>> like
>> the
>> list is going to be used to allow people to change Jenkins it is
>> just
>> going to be there to allow commit's to generate builds. If we
>> have a
>> list of people we fell is safe enough to run test against how much
>> more
>> exposure will there be also allowing auto builds? And if we do
>> come
>> up
>> with test that we feel can be run on all commits we would run them
>> on
>> all not just a small subset of commits.
>>
> btw, this kind of logic might justify a jenkins plugin, or at least
> an extension to the gerrit trigger plugin.
> it might interest other people as well.
I haven't looked at the plug-in structure so if you can reuse the
interface for the admin matrix and just let you select people from
the
people list that would be a great add-on.
i was thinking on the specific use case of gerrit plugin, that will allow triggering jobs
only for certain email/user name.
i'll ask on jenkins list if this feature is something they consider or we can
contribute.
>
>> Thanks
>> Robert
>>
>>> - - Karsten
>>> - --
>>> Karsten 'quaid' Wade, Sr. Analyst - Community Growth
>>>
http://TheOpenSourceWay.org .^\
http://community.redhat.com
>>> @quaid (identi.ca/twitter/IRC) \v' gpg: AD0E0C41
>>> -----BEGIN PGP SIGNATURE-----
>>> Version: GnuPG v1.4.12 (GNU/Linux)
>>> Comment: Using GnuPG with Mozilla -
http://enigmail.mozdev.org/
>>>
>>> iD8DBQFQF+2d2ZIOBq0ODEERAmxqAKDNHOfAEHwfTbQz/Yubo3iApBdUYwCePkPC
>>> D9M+eLnNAaUv2Y0+yVWA+3o=
>>> =HmZo
>>> -----END PGP SIGNATURE-----
>>>
_______________________________________________
>>> Infra mailing list
>>> Infra(a)ovirt.org
>>>
http://lists.ovirt.org/mailman/listinfo/infra
>>
>> --
>> Thanks
>> Robert Middleswarth
>> @rmiddle (twitter/IRC)
>>
>> _______________________________________________
>> Infra mailing list
>> Infra(a)ovirt.org
>>
http://lists.ovirt.org/mailman/listinfo/infra
>>
--
Thanks
Robert Middleswarth
@rmiddle (twitter/IRC)