Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [mylyn-dev] changes to Mylyn Gerrit builds

Thanks for the heads-up Sam.  How do we access the /shared/mylyn/org.eclipse.mylyn/contributor_whitelist.txt file?

David

On Fri, Jul 24, 2015 at 5:13 PM Sam Davis <sam.davis@xxxxxxxxxxx> wrote:
Hi,

In order to protect against unauthorized users pushing malicious code to Gerrit and having it automatically executed by the gerrit-trigger plugin, I'm going to be changing the configuration of the gerrit-mylyn-* builds at https://hudson.eclipse.org/mylyn/.

Builds started by Gerrit will be aborted if the patch set submitter is not a committer on the project, and is not on a project-specific whitelist defined at /shared/mylyn/org.eclipse.mylyn/contributor_whitelist.txt. In that case, a committer or someone on the whitelist will need to review the contribution to ensure it does not attempt to run malicious code. They can then retrigger the aborted build and it will run normally.

I realize this is going to be somewhat annoying, and that untrusted contributors will need to wait longer before they find out whether their build succeeded, but I don't think there is a better solution available at this time. See bug 375350 for more information about this issue. The reason this has become necessary now is that migrating all Mylyn builds to the Mylyn HIPP (bug 472401) will require us to allow the HIPP to write to the downloads area, and I want to prevent malicious parties from causing trouble.

Please let me know if you have any comments on this or if something isn't working correctly.

Contributor Whitelist

In order to minimize the extra work of having to retrigger builds, there is a whitelist of contributors who, even though they are not committers, are trusted not to act maliciously. The whitelist is defined at:

/shared/mylyn/org.eclipse.mylyn/contributor_whitelist.txt

Committers should have write access and should feel free to add the emails of trusted contributors to the list.

Thanks,
Sam
_______________________________________________
mylyn-dev mailing list
mylyn-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/mylyn-dev

Back to the top