Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [eclipse.org-committers] Malicious executable content in Gerrit contributions 
Executable checks alone won't help – it is just as possible for a  junit test to do something naughty. 

Alex

Sent from my iPhat 6

> On 10 Dec 2014, at 14:08, LETAVERNIER Camille <Camille.LETAVERNIER@xxxxxx> wrote:
> 
> Hi Denis,
> 
> Maybe having a white-list of usual contributors (Allowed to have an auto-trigger) would help. For others, only manual-trigger (From a Committer) would be allowed.
> 
> Camille
> 
> -----Message d'origine-----
> De : eclipse.org-committers-bounces@xxxxxxxxxxx [mailto:eclipse.org-committers-bounces@xxxxxxxxxxx] De la part de Denis Roy
> Envoyé : mercredi 10 décembre 2014 14:54
> À : eclipse.org-committers@xxxxxxxxxxx
> Objet : [eclipse.org-committers] Malicious executable content in Gerrit contributions
> 
> Well, the moment I've been dreading has finally come... malicious virus/malware is now in our Gerrit database.
> 
> Witness: https://git.eclipse.org/r/#/c/37910/
> 
> This shows the intention of the contributor:
> 
> https://git.eclipse.org/r/#/c/37910/1/features/papyrus-tests-features/org.eclipse.papyrus.tests.build.feature/epl-v10.html
> 
> 
> In this case, the bad contribution was picked up and built by Hudson... 
> Many projects also run tests on these unknown contributions, which means Hudson not only builds the malicious code, but executes it too.
> 
> I am convinced that this practice, albeit convenient for projects, can ultimately lead to really bad things.
> 
> Discuss in this bug: https://bugs.eclipse.org/bugs/show_bug.cgi?id=375350
> 
> The Hudson Gerrit plugin allows several trigger events... "Patchset Created" is probably not the best event to use.  Right now I cannot see any other events, but having a first human verification that the contribution is not a Linux executable or shell script is definitely what I would recommend.
> 
> Denis
> _______________________________________________
> eclipse.org-committers mailing list
> eclipse.org-committers@xxxxxxxxxxx
> https://dev.eclipse.org/mailman/listinfo/eclipse.org-committers
> 
> IMPORTANT: Membership in this list is generated by processes internal to the Eclipse Foundation.  To be permanently removed from this list, you must contact emo@xxxxxxxxxxx to request removal.
> _______________________________________________
> eclipse.org-committers mailing list
> eclipse.org-committers@xxxxxxxxxxx
> https://dev.eclipse.org/mailman/listinfo/eclipse.org-committers
> 
> IMPORTANT: Membership in this list is generated by processes internal to the Eclipse Foundation.  To be permanently removed from this list, you must contact emo@xxxxxxxxxxx to request removal.

Back to the top