Re: [mylyn-dev] changes to Mylyn Gerrit builds

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [mylyn-dev] changes to Mylyn Gerrit builds

From: Sam Davis <sam.davis@xxxxxxxxxxx>
Date: Tue, 28 Jul 2015 10:38:35 -0700
Delivered-to: mylyn-dev@xxxxxxxxxxx
List-archive: <https://dev.eclipse.org/mailman/private/mylyn-dev>
List-help: <mailto:mylyn-dev-request@eclipse.org?subject=help>
List-subscribe: <https://dev.eclipse.org/mailman/listinfo/mylyn-dev>, <mailto:mylyn-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://dev.eclipse.org/mailman/options/mylyn-dev>, <mailto:mylyn-dev-request@eclipse.org?subject=unsubscribe>

You should be able to SSH to build.eclipse.org with the username <first initial><last name> and your eclipse.org password, e.g. my username is sdavis.

Sam

--
Sam Davis
Software Engineer, Tasktop Dev
Committer, Eclipse Mylyn
http://tasktop.com

On Mon, Jul 27, 2015 at 10:13 AM, David Green <david.green@xxxxxxxxxxx> wrote:

Thanks for the heads-up Sam. How do we access the /shared/mylyn/org.eclipse.mylyn/contributor_whitelist.txt file?

David

On Fri, Jul 24, 2015 at 5:13 PM Sam Davis <sam.davis@xxxxxxxxxxx> wrote:
Hi,

In order to protect against unauthorized users pushing malicious code to Gerrit and having it automatically executed by the gerrit-trigger plugin, I'm going to be changing the configuration of the gerrit-mylyn-* builds at https://hudson.eclipse.org/mylyn/.

Builds started by Gerrit will be aborted if the patch set submitter is not a committer on the project, and is not on a project-specific whitelist defined at /shared/mylyn/org.eclipse.mylyn/contributor_whitelist.txt. In that case, a committer or someone on the whitelist will need to review the contribution to ensure it does not attempt to run malicious code. They can then retrigger the aborted build and it will run normally.

I realize this is going to be somewhat annoying, and that untrusted contributors will need to wait longer before they find out whether their build succeeded, but I don't think there is a better solution available at this time. See bug 375350 for more information about this issue. The reason this has become necessary now is that migrating all Mylyn builds to the Mylyn HIPP (bug 472401) will require us to allow the HIPP to write to the downloads area, and I want to prevent malicious parties from causing trouble.

Please let me know if you have any comments on this or if something isn't working correctly.

Contributor Whitelist

In order to minimize the extra work of having to retrigger builds, there is a whitelist of contributors who, even though they are not committers, are trusted not to act maliciously. The whitelist is defined at:

/shared/mylyn/org.eclipse.mylyn/contributor_whitelist.txt

Committers should have write access and should feel free to add the emails of trusted contributors to the list.

Thanks,
Sam
_______________________________________________
mylyn-dev mailing list
mylyn-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/mylyn-dev

_______________________________________________
mylyn-dev mailing list
mylyn-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/mylyn-dev

Follow-Ups:
- Re: [mylyn-dev] changes to Mylyn Gerrit builds
  - From: Gunnar Wagenknecht

References:
- [mylyn-dev] changes to Mylyn Gerrit builds
  - From: Sam Davis
- Re: [mylyn-dev] changes to Mylyn Gerrit builds
  - From: David Green

Prev by Date: [mylyn-dev] End date of user interaction
Next by Date: Re: [mylyn-dev] End date of user interaction
Previous by thread: Re: [mylyn-dev] changes to Mylyn Gerrit builds
Next by thread: Re: [mylyn-dev] changes to Mylyn Gerrit builds
Index(es):
- Date
- Thread

Breadcrumbs