marcoabreu commented on a change in pull request #19654:
URL: https://github.com/apache/incubator-mxnet/pull/19654#discussion_r541189742
##########
File path: ci/build.py
##########
@@ -117,6 +123,9 @@ def run_cmd():
image_id = _get_local_image_id(docker_tag=tag)
if not image_id:
raise FileNotFoundError('Unable to find docker image id matching with
{}'.format(tag))
+ # now that we've built the container, push it to our docker cache if
DOCKER_ECR_CACHE is defined
+ if 'DOCKER_ECR_REGISTRY' in os.environ:
+ push_docker_cache(registry, tag, image_id)
Review comment:
My concern here is not that people can run random stuff in their
Dockerfiles. They can already do that and that's an accepted risk. My point
here is that this approach opens up a path for privilige escalation by
leveraging the ECR repository to run malicious code in the restricted jobs.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
