Security issues when running gerrit patches on jenkins
Mike Burns
mburns at redhat.com
Wed Jul 18 17:43:15 UTC 2012
On Wed, 2012-07-18 at 13:34 -0400, Heiko W.Rupp wrote:
> Am 18.07.2012 um 13:00 schrieb Robert Middleswarth:
>
> > I need trust to be earned so I +1 on whitelist. With that said I think getting on the whitelist should be pretty easy.
>
> Isn't that what you usually do on projects - have the first few commits not directly go to master but being
> reviewed by an existing committer and then giving full commit access to a new user?
> So I think that fits in and fits with what new committers are used to. Many of them actually would be scared
> if they got commit access from day 1.
It's not commit access that is being discussed. We're not giving that
away easily. Jenkins provides the ability to trigger builds/tests on
patch submission (just submission, not commit). A savvy attacker could
write a patch that could cause the tests to compromise the jenkins slave
machine. The whitelist being proposed is a whitelist for running the
build/test based on who submitted the patch.
Mike
>
> Heiko
>
> _______________________________________________
> Infra mailing list
> Infra at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/infra
More information about the Infra
mailing list