Home page logo

wireshark logo Wireshark mailing list archives

Re: Gerrit versus Buildbot
From: Guy Harris <guy () alum mit edu>
Date: Thu, 20 Mar 2014 17:11:05 -0700

On Mar 20, 2014, at 2:24 PM, Chris Kilgour <techie () whiterocker com> wrote:

On 03/20/2014 01:07 PM, Gerald Combs wrote:

If the build system had open access what would keep someone from
uploading a shell script containing a box full of weasels wearing clown

Isn't the same thing true for Jenkins/buildbot spawned from gerrit?  Surely the build machines must be 
limited/sandboxed to prevent the circus from taking over the town.

Currently, it's limited to building stuff to which at least one core developer is willing to give +2.  That requires 
human judgement, so it's not as rigid as a hardware/software-implemented sandbox.

Yes, a very tight sandbox, so that filling up Makefile.am with weasels will only allow them to eliminate in a limited 
enclosed space, might do the job.  Probably something like a VM, created afresh for every build, would do the trick.  
If the creation is done by cloning, that might even be fast enough.

Most buildbots run on OSes capable of running as guests for various virtualization programs (OS X, Windows, Ubuntu 
Linux), and maybe the Solaris buildbot could run in a zone, so that might be doable.

But I've never managed a build farm, so I might be missing something.

Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]