In my humble opinion - as a member of the Jenkins CERT team - this is not safe.
If the ASF wants to build PRs on ASF hardware there are two options I would recommend: Option 1: Do not build PRs automatically, instead require an ASF committer to request the build of a specific commit hash (there are a number of ways of doing this... none of which currently actually guarantee that the specific hash seen by the ASF committer is the hash that gets built. I cannot say more, even this may have been too much) Option 2: Have dedicated "throwaway" hardware for build agents. You would need some form of internal "cloud" where the build agents are provisioned on demand and thrown away afterwards. You would need to "lock down" the Jenkinsfiles by saying that PRs are untrusted (this means that PRs changing the Jenkinsfile would need to be reviewed by ASF committers before they can be built... required as a Jenkinsfile change could nullify the part of the Jenkinsfile that forces PRs to build on the "throwaway" hardware). This internal cloud could be Docker based or a more full VM infra, but ASF infra would need to be happy with the security. You would need CPU limits to prevent things like bitcoin mining via drive-by pull requests from a throw-away GitHub account. If Infra wants more details, they know how to contact me! -Stephen On 2019/01/04 10:00:33, Christofer Dutz <christofer.d...@c-ware.de> wrote: > Hmmm, > > thinking about it ... this is not quite "safe" is it? Just imagining someone > starting PRs with maven download-plugin and exec-plugin starting a bitcoin > miner or worse ... what does Infra think about this? > Would prefer the "everyone" PR builds to run on Travis or something that > wouldn't harm the ASF. > > Chris > > > > Am 03.01.19, 16:37 schrieb "Allen Wittenauer" > <a...@effectivemachines.com.INVALID>: > > > > > On Jan 3, 2019, at 7:34 AM, Christofer Dutz <christofer.d...@c-ware.de> > wrote: > > > > Hi Allen, > > > > thanks for that ... if I had known that simply selecting the "GitHub" > as source instead of the generic "Git" ... would have made things easier ... > however it seems that we have exceeded some sort of API usage limit: > > Yup. That’s why we set up our own project-specific user to query GitHub > and set trust to ‘Everyone’ since our user doesn’t have privs on Github. :/ > > (See also: last month’s discussion of github’s idiotic permission system.) > > > > >
