Let me re-summarize, since I think people are not reading the whole thread or
the JIRA issue linked upthread.
I'm only concerned about Royale, which is the project I work on.
On 1/6/19, 11:12 PM, "Hervé BOUTEMY" wrote:
> I don't have a strong opinion on the above, but I'm very concerned
Le lundi 7 janvier 2019, 03:57:53 CET Roman Shaposhnik a écrit :
> On Sun, Jan 6, 2019 at 6:50 PM Alex Harui wrote:
> > OK, apparently Infra doesn't want to discuss this in a JIRA issue so I
> > will try to continue it here and bug people with emails if the thread
> > stagnates like it did last ti
On 1/6/19, 8:28 PM, "Roman Shaposhnik" wrote:
> All commits, even PR's from non-commiters accepted by a committer are
supposed to be reviewed, AIUI. So if the bot makes a commit to the repo, the
PMC is responsible for reviewing it. In Royale's case, the bot should only be
changing pom.
On 1/6/19, 8:30 PM, "Dave Fisher" wrote:
Sent from my iPhone
> On Jan 6, 2019, at 7:53 PM, Roman Shaposhnik wrote:
>
>> On Sun, Jan 6, 2019 at 7:38 PM Alex Harui
wrote:
>>
>>
>>
>> On 1/6/19, 6:58 PM, "Roman Shaposhnik" wrote:
>>
Sent from my iPhone
> On Jan 6, 2019, at 7:53 PM, Roman Shaposhnik wrote:
>
>> On Sun, Jan 6, 2019 at 7:38 PM Alex Harui wrote:
>>
>>
>>
>> On 1/6/19, 6:58 PM, "Roman Shaposhnik" wrote:
>>
>>>On Sun, Jan 6, 2019 at 6:50 PM Alex Harui
>>> wrote:
>>>
>>> OK, apparently Infra doesn
On Sun, Jan 6, 2019 at 8:20 PM Alex Harui wrote:
>
>
>
> On 1/6/19, 7:54 PM, "Roman Shaposhnik" wrote:
>
> On Sun, Jan 6, 2019 at 7:38 PM Alex Harui
> wrote:
> >
> >
> >
> > On 1/6/19, 6:58 PM, "Roman Shaposhnik" wrote:
> >
> > On Sun, Jan 6, 2019 at 6:50 PM Al
On 1/6/19, 7:54 PM, "Roman Shaposhnik" wrote:
On Sun, Jan 6, 2019 at 7:38 PM Alex Harui wrote:
>
>
>
> On 1/6/19, 6:58 PM, "Roman Shaposhnik" wrote:
>
> On Sun, Jan 6, 2019 at 6:50 PM Alex Harui
wrote:
> >
> > OK, apparently Infra doesn't wan
On Sun, Jan 6, 2019 at 7:38 PM Alex Harui wrote:
>
>
>
> On 1/6/19, 6:58 PM, "Roman Shaposhnik" wrote:
>
> On Sun, Jan 6, 2019 at 6:50 PM Alex Harui
> wrote:
> >
> > OK, apparently Infra doesn't want to discuss this in a JIRA issue so I
> will try to continue it here and bug peopl
On 1/6/19, 6:58 PM, "Roman Shaposhnik" wrote:
On Sun, Jan 6, 2019 at 6:50 PM Alex Harui wrote:
>
> OK, apparently Infra doesn't want to discuss this in a JIRA issue so I
will try to continue it here and bug people with emails if the thread stagnates
like it did last time.
>
On Sun, Jan 6, 2019 at 6:50 PM Alex Harui wrote:
>
> OK, apparently Infra doesn't want to discuss this in a JIRA issue so I will
> try to continue it here and bug people with emails if the thread stagnates
> like it did last time.
>
> I'm unclear what questions and problems are of concern here s
OK, apparently Infra doesn't want to discuss this in a JIRA issue so I will try
to continue it here and bug people with emails if the thread stagnates like it
did last time.
I'm unclear what questions and problems are of concern here specific to this
ask. IMO:
1) ASF Release Policy currently a
> On Jan 6, 2019, at 1:18 PM, Stephen Connolly wrote:
>
>
>
> On 2019/01/06 18:32:24, Allen Wittenauer
> wrote:
>>
>> a) The ASF has been running untrusted code since before Github existed.
>> From my casual watching of Jenkins, most of the change code we run doesn’t
>> come from Gith
What other organizations are running a similar patch/pr Jenkins capability and
how do they implement "security" to prevent exploits like bitcoin miners and
other attacks?
IMO, if you give free compute resources, the bad people will eventually figure
out how to use it to their advantage.
-Alex
On Sun, Jan 6, 2019, 19:52 Allen Wittenauer
>
> > On Jan 6, 2019, at 10:43 AM, Dominik Psenner wrote:
> >
> > On Sun, Jan 6, 2019, 19:32 Allen Wittenauer
> > >
> >>
> >> a) The ASF has been running untrusted code since before Github existed.
> >> From my casual watching of Jenkins, most of the c
On 2019/01/06 18:43:16, Dominik Psenner wrote:
> On Sun, Jan 6, 2019, 19:32 Allen Wittenauer
>
> >
> > a) The ASF has been running untrusted code since before Github existed.
> > From my casual watching of Jenkins, most of the change code we run doesn’t
> > come from Github PRs. Any solutio
On 2019/01/06 18:32:24, Allen Wittenauer
wrote:
>
> a) The ASF has been running untrusted code since before Github existed. From
> my casual watching of Jenkins, most of the change code we run doesn’t come
> from Github PRs. Any solution absolutely needs to consider what happens in a
>
> On Jan 6, 2019, at 10:43 AM, Dominik Psenner wrote:
>
> On Sun, Jan 6, 2019, 19:32 Allen Wittenauer
>
>>
>> a) The ASF has been running untrusted code since before Github existed.
>> From my casual watching of Jenkins, most of the change code we run doesn’t
>> come from Github PRs. Any s
On Sun, Jan 6, 2019, 19:32 Allen Wittenauer
> a) The ASF has been running untrusted code since before Github existed.
> From my casual watching of Jenkins, most of the change code we run doesn’t
> come from Github PRs. Any solution absolutely needs to consider what
> happens in a JIRA-based patch
a) The ASF has been running untrusted code since before Github existed. From
my casual watching of Jenkins, most of the change code we run doesn’t come from
Github PRs. Any solution absolutely needs to consider what happens in a
JIRA-based patch file world. [footnote 1,2]
b) Making everythi
At my dayjob we use a self hosted gitlab runner to spawn virtualbox
machines that are recycled after every build. Such a linux builder in the
form of a virtualbox machine boots in 8 seconds and then runs whatever it
ahould run according to the project build scripts. After timeout the gitlab
runner
Well it has been for Apache committers,
But it hasn't for non-committers. Usually the path for outsiders to submit
something and usually after a review by a committer it's run.
I guess we expect someone with commit privileges to be safe, but having code
run by ANYONE is a different topic.
Chris
In my humble opinion - as a member of the Jenkins CERT team - this is not safe.
If the ASF wants to build PRs on ASF hardware there are two options I would
recommend:
Option 1: Do not build PRs automatically, instead require an ASF committer to
request the build of a specific commit hash (there
Le vendredi 4 janvier 2019, 22:06:30 CET Joan Touzet a écrit :
> - Original Message -
>
> > From: "Allen Wittenauer"
> >
> > This is the same model the ASF has used for JIRA for a decade+.
> >
> > It’s always been possible for anyone to submit anything to Jenkins
> >
>
23 matches
Mail list logo
