On Sat, 29 Dec 2018 at 20:41, Mickael Istria <mist...@redhat.com> wrote:
> I'mglad to see that PR build/merge discussed, it seems to have a good > potential value for many in simplifying it. > > FWIW, at Eclipse Foundation, similar questions were faced and risks > identified. The result is that at the moment, all PRs from anyone can be > built on Eclipse infra without much visible restriction. The Foundation > might have extra guards under the hood but it's not something we developers > need to care about. > While this is probably unsafe, it's so far so good. We weren't warned by > the Foundation about malicious usage of this permissive access to build > machines. > As one of the primary developers of Jenkins and as a member of the Jenkins CERT team I cannot and do not endorse that viewpoint. Unless and until ASF infra has throw-away build machines, I do not recommend running CI builds of PRs from unknown actors (it being trivial to set up a throw-away GitHub account) on the ASF dedicated build agents. Eclipse is being fools if they are allowing similar. > AFAIK, there is no issue from developer POV about GitHub API rates limit. > I suggest the Apache infra team gets in touch with Eclipse Foundation one > to sort out whether similar configurations could be implemented in a > safe-enough way. > > The GitHub PR builder plugin already has support for whitelisting users and > giving them ability to trigger a build from a non-whitelidsted contributor > with a single «test PR» comment or similar. > Then build progress and report are reported as expected. > And, again, TravisCI also does the same in a decent way, with the benefit > of worrying less about underlying infra and security, and only drawback of > being discoupled from a specific infra (is it really a drawback?) > I think we could easily use TravisCI or one of the cloud CI vendors to perform trial builds of PRs on GitHub. What is of importance to the ASF is that the build of ASF hosted code are on ASF hosted hardware... until the PR is merged it is not ASF hosted code, it exists only on GitHub. > > Cheers, > > > -- > Mickael Istria > Eclipse IDE <https://www.eclipse.org/downloads/eclipse-packages/> > developer, for Red Hat Developers <https://developers.redhat.com/> >
