Hi Paul,
On 17/01/12 12:31, Paul Sokolovsky wrote:
Hello Guilherme,
Here's the matter about "WI" we have from the team meeting. I posted
about that matter previously but here's quick recap: we wanted to
start using the copy-to-slave on android-build, and I found that it has
security hole, essentially it allows a user w/o admin permissions to
get access to admin info, which can be as serious as to allow to steal
EC2 machine time.
What I did is notified the plugin maintainer, and also quickly whipped
a "short-circuit" type workaround - I just removed the offending option
altogether. In maintainer's place, I wouldn't accept that patch as is -
obviously, is some configurations there's no real security risk with
that option, and some people have it in use. Proper solution would take
adding UI configuration page, but I don't know Jenkisn well enough to
do that (and before going for that, there're 2-3 Jenkins hacking
related tasks waiting in queue for months). Last step in this so far is
that maintainer did some changes (again, I doubt they're based on my
patch much) and asked for review, in my TODO.
We didn't really exchange email, all communication is as the comments
to the plugin page:
https://wiki.jenkins-ci.org/display/JENKINS/Copy+To+Slave+Plugin?focusedCommentId=59509028#comment-59509028
There's also a bug: https://issues.jenkins-ci.org/browse/JENKINS-12281
My changes are in the form of fork repo:
https://github.com/pfalcon/copy-to-slave-plugin
So, based on all this, I wouldn't think there's something to
patch-track: it's not that much of upstream contribution, more of
upstream bugreport + local workaround. But if you think we could track
anything out of this, I'd appreciate a hint how to start with that.
Right, it probably doesn't make sense to teach patches.l.o how to suck
patches submitted by Linaro engineers from issues.jenkins-ci.org as we
don't expect to see many contributions from Linaro there. If that
changes in the future, we can certainly work something out, like we did
for gerrit.
The way you described it sounds like the patch you submitted isn't even
going to be merged upstream, but if you have others that you expect to
be, you can just email a copy of them to patches@l.o, as described at
https://wiki.linaro.org/Process/UpstreamPatches
In that case you'll also want to ask for the creation of a new project
on patches.l.o (instructions also on the page above)
--
Guilherme Salgado <https://launchpad.net/~salgado>
_______________________________________________
linaro-dev mailing list
linaro-dev@lists.linaro.org
http://lists.linaro.org/mailman/listinfo/linaro-dev
