mailing list archives
Re: Gerrit versus Buildbot
From: Guy Harris <guy () alum mit edu>
Date: Thu, 20 Mar 2014 17:11:05 -0700
On Mar 20, 2014, at 2:24 PM, Chris Kilgour <techie () whiterocker com> wrote:
On 03/20/2014 01:07 PM, Gerald Combs wrote:
If the build system had open access what would keep someone from
uploading a shell script containing a box full of weasels wearing clown
Isn't the same thing true for Jenkins/buildbot spawned from gerrit? Surely the build machines must be
limited/sandboxed to prevent the circus from taking over the town.
Currently, it's limited to building stuff to which at least one core developer is willing to give +2. That requires
human judgement, so it's not as rigid as a hardware/software-implemented sandbox.
Yes, a very tight sandbox, so that filling up Makefile.am with weasels will only allow them to eliminate in a limited
enclosed space, might do the job. Probably something like a VM, created afresh for every build, would do the trick.
If the creation is done by cloning, that might even be fast enough.
Most buildbots run on OSes capable of running as guests for various virtualization programs (OS X, Windows, Ubuntu
Linux), and maybe the Solaris buildbot could run in a zone, so that might be doable.
But I've never managed a build farm, so I might be missing something.
Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org>
mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Re: Gerrit versus Buildbot Roland Knall (Mar 20)