On Sun, Jun 04, 2017 at 10:23:52PM +0200, Mojca Miklavec wrote:
Dear Zero King,Thank you very much for the update. There's one thing I didn't fully understand: https://github.com/l2dy/mpbot-design/blob/master/cibot.md#interaction-with-ci-bot"This design is aimed for traceability, we can find the exact GitHub user who submitted a malicious PR."I understand that you can neither trust the author's nor committer's email from the git commit history, but doesn't GitHub provide a reliable information about who submitted the pull request? Of course one can have a stolen identity (username/password or key), but I probably don't understand at which point you wanted to identify the user submitting a PR. Or did you want to identify user trying to chat with the bots?
All information CI bot have access to is public, so I'm worried that someone would send PR bot data without submitting a PR at all.
You asked about extraction of list of ports which is currently a combination of https://github.com/macports/macports-infrastructure/blob/f79cc559611e5f42dd26808f38cd0750beee12bf/buildbot/master.cfg#L32 and list-subports in mpbb. I guess the first function could be implemented in mpbb instead. And maybe mpbb could get some more branching (if-else statements) depending on whether it runs for "production" (buildbot) or "testing" (Travis). Or maybe some functionality from mpbb could even move to the MacPorts core.
mpbb has a dependency on getopt, so it's not ideal for Travis since there's a time limit for each build and I'd like to save more time for actually testing ports. -- Best regards, Zero King Don't trust the From address.
smime.p7s
Description: S/MIME cryptographic signature
