Security issues when running gerrit patches on jenkins

Dan Kenigsberg danken at redhat.com
Wed Jul 18 13:20:11 UTC 2012


On Wed, Jul 18, 2012 at 07:05:16AM -0400, Eyal Edri wrote:
> Hi,
> 
> Following last infra meeting, i want to open for discussion the security issues that may arise if we allow Jenkins
> to run jobs (i.e any code) with every gerrit patch.
> 
> The problem:
> 
> In theory, any user that is registered to gerrit might send a patch to any ovirt project.
> That code might contain malicious code, malware, harmfull or just not-related ovirt code that he wants to use our resources for it.
> Even though we use limited sudo on hosts, we can't be sure an exploit will be used against one of the jenkins slaves. 
> 
> 
> The proposed solutions:
> 
> - black-listing authors (published on ovirt.org?)
> - white-listing authors (published on ovirt.org?)
> - auto approve patch via comparing to lastest commits 
>   - check if author recent patches were approved in the past? 
> 
> adding dan since he raised this issue when we wanted to add vdsm gerrit tests.

In my opinion, we can trust anyone who has already contributed code to
the relevant project. We can even say: someone who contributed more than
3 commits over a month ago.

However, no trust should be perpetual (passwords get lost, laptops are
lost, people go crazy..) so I suggest to have a blacklist of people we
no longer trust. It would be easier to maintain such a list as a
(locked) wiki page, so peole can see that they are unrusted, and can
apeal ("I'm sane today, lemme run stuff on your slaves!").

Note that I don't expect this blacklist to be used in the near future,
but when we'd need it, we'd need it fast. So we'd better prepare ahead
of time.

Regards,

Dan.



More information about the Infra mailing list