For those that haven't seen yet CONTINUUM-1731 i'm working on getting continuum builds to run isolated from other builds and from the original server system, and to prevent malicious builds/scripts from doing damage or accessing other builds data in the filesystem
I'm creating a chroot jail per project group and before each build invocation continuum will chroot there (possibly combining with user permissions too) so what the build is going to see is a fake filesystem shared only with the other projects in the same project group. Setting up the server is quite a pita, you need a chroot directory per project group with copies of all the authorized programs (java, maven, svn,...) and the libraries used. There's going to be a maven repo for each project group too, so the disk space used is going to grow fairly quickly. I think I got it mostly setup now, but it's very server dependent. Now i'm working on executing the chroot before the build is called, it requires some changes in the way the working directory is selected. -- I could give you my word as a Spaniard. No good. I've known too many Spaniards. -- The Princess Bride
