[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[eclipse.org-committers] Malicious executable content in Gerrit contributions
- From: Denis Roy <denis.roy@xxxxxxxxxxx>
- Date: Wed, 10 Dec 2014 08:54:24 -0500
- Delivered-to: firstname.lastname@example.org
- User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.3.0
Well, the moment I've been dreading has finally come... malicious
virus/malware is now in our Gerrit database.
This shows the intention of the contributor:
In this case, the bad contribution was picked up and built by Hudson...
Many projects also run tests on these unknown contributions, which means
Hudson not only builds the malicious code, but executes it too.
I am convinced that this practice, albeit convenient for projects, can
ultimately lead to really bad things.
Discuss in this bug: https://bugs.eclipse.org/bugs/show_bug.cgi?id=375350
The Hudson Gerrit plugin allows several trigger events... "Patchset
Created" is probably not the best event to use. Right now I cannot see
any other events, but having a first human verification that the
contribution is not a Linux executable or shell script is definitely
what I would recommend.