Yes, I agree. On Fri, Mar 29, 2019 at 1:48 PM Pierre Tardy <tar...@gmail.com> wrote:
> My fear is that this is part of the many stretch goals, and this is > beginning to be very optimistic schedule. > I think it is best to make a great finished GSoC rather than lots of very > cool but unfinished mini projects. > > From my experience, I'd say settuping securing and optimising macos > precommit CI is a full 3 month work. > > The number one mistake for young talented people is to underestimate > things. > > https://en.wikipedia.org/wiki/Pareto_principle > > Regards, > Pierre > > > Le jeu. 28 mars 2019 à 18:50, Rajdeep Bharati <rajdeepbharat...@gmail.com> > a écrit : > >> I will try to set up libvirt. I can keep the PR comment from admin as a >> backup option. >> >> Rajdeep >> >> On Thu, Mar 28, 2019 at 5:37 PM Pierre Tardy <tar...@gmail.com> wrote: >> >>> You can take control of the VM by downloading a ransomware or botnet or >>> whatever. >>> >>> You usually counter that by making sure the PR VMs are restricted in >>> term of network access they can do, and also restricted in the number of >>> time it is alive (basically just the time of the build) >>> >>> Another much more simple option is to trigger the PR testing via a PR >>> comment from an admin. >>> >>> If a macPort maintainer sends a message like "Go Buildbot", then >>> buildbot would catche that a start a build, provided that the PR got basic >>> review, and is not suspicious. >>> >>> >>> Pierre >>> >>> >>> Le jeu. 28 mars 2019 à 13:03, Rajdeep Bharati < >>> rajdeepbharat...@gmail.com> a écrit : >>> >>>> All right. Could you please give an example of a malicious PR? Would it >>>> be one which is done (locally tested) from an old version of macOS? >>>> >>>> On Wed, Mar 27, 2019 at 9:55 PM Mojca Miklavec <mo...@macports.org> >>>> wrote: >>>> >>>>> Dear Rajdeep, >>>>> >>>>> It's not just a question of how to fetch a PR. That shouldn't be too >>>>> difficult, I hope (and probably the link you provided works as intended). >>>>> >>>>> The tricky question is how to prevent malicious PRs from doing damage >>>>> on the builders. I assume that a proper solution would require starting a >>>>> fresh VM for each build. There is some support in the buildbot already: >>>>> >>>>> http://docs.buildbot.net/2.1.0/manual/configuration/workers-libvirt.html >>>>> https://github.com/kholia/OSX-KVM >>>>> but we would need to find a way to create VMs with macOS, so it might >>>>> not be trivial to do it. On top of that what we would really need the PRs >>>>> for are the old machines (say, 10.6, or even 10.4 if we would want to go >>>>> to >>>>> extremes) where it might be even less trivial to automate this in a nice >>>>> way. >>>>> >>>>> (A compromise solution would be to only allow trusted developers to >>>>> test pull requests on devoted builders, where we would also need to make >>>>> sure to uninstall the software after the PR is done building.) >>>>> >>>>> While implementing this remains almost the number one requested thing >>>>> when people contribute to packages, I'm not sure how much time doing this >>>>> would take. It could be that this could be done in a day or a few days, >>>>> but >>>>> it's also possible that there would be some stumbling block that would >>>>> require more hacking skills and would prevent us from proceeding, and not >>>>> even two months would suffice. In one way, I wouldn't mind if a student >>>>> would work on this for the full summer to get this working; on the other >>>>> hand, if there's a block and none of us is skilled enough to overcome it, >>>>> it makes more sense to proceed with other stuff that can certainly be >>>>> done. >>>>> >>>>> Mojca >>>>> >>>>> >>>>> On Wed, 27 Mar 2019 at 16:05, Rajdeep Bharati < >>>>> rajdeepbharat...@gmail.com> wrote: >>>>> >>>>>> I could use the GitHubPullrequestPoller >>>>>> <http://docs.buildbot.net/current/manual/configuration/changesources.html#chsrc-GitHubPullrequestPoller> >>>>>> which >>>>>> periodically polls the Github API for new/updated PRs. >>>>>> >>>>>> Here is an example: >>>>>> https://github.com/halide/build_bot/blob/master/master/master.cfg >>>>>> >>>>>> c['change_source'].append(GitHubPullrequestPoller( >>>>>> owner = 'halide', >>>>>> repo = 'Halide', >>>>>> token = token, >>>>>> pullrequest_filter = pr_filter, >>>>>> pollInterval = 60*5, # Check Halide PRs every five minutes >>>>>> pollAtLaunch = True)) >>>>>> Rajdeep >>>>>> >>>>>> On Wed, Mar 27, 2019 at 3:59 AM Mojca Miklavec <mo...@macports.org> >>>>>> wrote: >>>>>> >>>>>>> Dear Rajdeep, >>>>>>> >>>>>>> On Tue, 26 Mar 2019 at 19:51, Rajdeep Bharati wrote: >>>>>>> > >>>>>>> > I have submitted a draft proposal: >>>>>>> https://docs.google.com/document/d/12wRjA8sOWNOuApHZ_fm0n1aIPLVPt9Xm2yGiMwiK3AI/edit. >>>>>>> Could you please provide some feedback? >>>>>>> >>>>>>> Cool, thank you very much, it looks nice, please give us a bit of >>>>>>> time. >>>>>>> >>>>>>> One question: what precisely is your plan for setting up disposable >>>>>>> builds for PRs? >>>>>>> >>>>>>> Mojca >>>>>>> >>>>>>
