Security issues when running gerrit patches on jenkins
Karsten 'quaid' Wade
kwade at redhat.com
Tue Jul 31 14:37:17 UTC 2012
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 07/18/2012 04:05 AM, Eyal Edri wrote:> Hi,
>
> Following last infra meeting, i want to open for discussion the
> security issues that may arise if we allow Jenkins to run jobs (i.e
> any code) with every gerrit patch.
>
> - white-listing authors (published on ovirt.org?) ...
I think the consensus we are leaning toward is this:
* Use a whitelist to identify who can have Jenkins jobs triggered when
a patch hits Gerrit.
* Keep the whitelist on the wiki, so it's clear who has access, and
the list can be used by all Jenkins hosts.
* Current whitelist is built from current committers (from git log).
** compare the whitelist with the current GERRIT_AUTHOR or similar value.
Do we want to build-in the ability to check a blacklist, too? Or just
use "absence from whitelist"?
For example, is there going to be a desire to have someone not be able
to automatically run a test on certain parts of the code, but yes on
others?
- - Karsten
- --
Karsten 'quaid' Wade, Sr. Analyst - Community Growth
http://TheOpenSourceWay.org .^\ http://community.redhat.com
@quaid (identi.ca/twitter/IRC) \v' gpg: AD0E0C41
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iD8DBQFQF+2d2ZIOBq0ODEERAmxqAKDNHOfAEHwfTbQz/Yubo3iApBdUYwCePkPC
D9M+eLnNAaUv2Y0+yVWA+3o=
=HmZo
-----END PGP SIGNATURE-----
More information about the Infra
mailing list