Well it has been for Apache committers,
But it hasn't for non-committers. Usually the path for outsiders to submit
something and usually after a review by a committer it's run.
I guess we expect someone with commit privileges to be safe, but having code
run by ANYONE is a different topic.
Chris
Am 04.01.19, 15:20 schrieb "Allen Wittenauer"
<a...@effectivemachines.com.INVALID>:
> On Jan 4, 2019, at 2:00 AM, Christofer Dutz <christofer.d...@c-ware.de>
wrote:
>
> Hmmm,
>
> thinking about it ... this is not quite "safe" is it? Just imagining
someone starting PRs with maven download-plugin and exec-plugin starting a
bitcoin miner or worse ... what does Infra think about this?
> Would prefer the "everyone" PR builds to run on Travis or something that
wouldn't harm the ASF.
This is the same model the ASF has used for JIRA for a decade+. It’s
always been possible for anyone to submit anything to Jenkins and have it get
executed. Limiting PRs or patch files in JIRAs to just committers is very
anti-community. (This is why all this talk about using Jenkins for building
artifacts I find very entertaining. The infrastructure just flat out isn’t
built for it and absolutely requires disposable environments.)
