I support improving the process of updating the CI docker images. A couple of
thoughts here:
- I agree the Jenkinsfile security is a little bit arbitrary. I think maybe
there could be an aspect of protecting the Jenkins master (i.e. I think you can
get references to internal shared Java object
[quote="manupa-arm, post:5, topic:12047"]
I am not sure I follow this proposal. Can you elaborate ?
[/quote]
It's mostly that we trust all code running on a branch but not necessarily code
running from PRs from forks, same as how Jenkins treats the `Jenkinsfile`
today. After thinking about thi
@driazati @leandron ,
I think this proposal will benefit all the work that require updates to
dependencies.
@masahi @Leo-arm @elenkalda-arm
I would suggest lets scope scripts that is relevant to this proposal (as it
seems there are already other places the attackers could exploit anyway) .
Running arbitrary commands directly on the node is already possible in several
places in the `Jenkinsfile`:
* https://github.com/apache/tvm/blob/main/Jenkinsfile#L97
* https://github.com/apache/tvm/blob/main/Jenkinsfile#L127
* https://github.com/apache/tvm/blob/main/Jenkinsfile#L167
So our secu
I think every advance that closes the gap between the Docker images being
updated and the PRs is much welcome.
One of the reasons it is not _live_ as it would seem logical to be, is because
of security reasons (based on a chat long ago with @tqchen). We can't blindly
run a docker rebuild for
Hi @driazati ,
I would support this.
This is a great improvement as this would always verify the patches in the
environment where they are meant to be verified -- without having to merge
docker changes first and then running docker-staging job with the other changes.
@Mousius what do you thi
# Summary
Rebuild Docker images per-build rather than use the pinned Docker Hub images in
the [Jenkinsfile](https://github.com/apache/tvm/blob/main/Jenkinsfile#L48-L54).
# Guide
Note: This is a spin off discussion from
[https://discuss.tvm.apache.org/t/rfc-a-proposed-update-to-the-docker-ima
